« Previous | Next » 

Revision 061c6804

ID061c6804ac0626844995204bf72603aeb5c8f39d
Parent 31dd5697
Child 639c610f

Added by Bastian Waidelich over 6 years ago

[BUGFIX] Render Form CSRF token field only if authenticated

Currently ``CSRF`` tokens are only enforced if an account is
authenticated. But the form ViewHelper rendered the corresponding
hidden field for all forms with method != "GET".

Background:

Rendering the hidden field did not have a side effect before but as
CSRF tokens only make sense with an active session,
``Security\Context::getCsrfProtectionToken()`` will be adjusted to start
a session when called. Therefore the token should only be fetched if it's
really required.

Change-Id: I896f6a722445deede1f0a656ea73db04f0d2e978
Related: FLOW-130
Releases: master, 2.3, 2.2, 2.1

  • added
  • modified
  • copied
  • renamed
  • deleted