« Previous | Next » 

Revision 2497220c

ID2497220cf19b8c2c90fada04a6b3cdcb444da8a9
Parent a7c3f5e3
Child 408919f4

Added by Bastian Waidelich almost 7 years ago

[BUGFIX] Enforce CSRF token for sub requests

With this change dispatching of requests is intercepted recursively
so that a valid CSRF token is enforced for sub requests, too.
Previously the token was only enforced on the main ActionRequest.

Background:

Previously the CSRF token was enforced via an AOP aspect. But one aspect
can only be executed once at a time. So calls of
``Dispatcher::dispatch()`` that are invoked during the execution of the
same method (which is the case for plugin or widget sub requests)
weren't intercepted by the aspect.

This change removes the aspect in favor of a hard coded check in the
Dispatcher class.

Change-Id: I2ccdcec97ce9fc9dcf84b9127c4f18ea800abe74
Related: FLOW-130
Releases: master

  • added
  • modified
  • copied
  • renamed
  • deleted