« Previous | Next » 

Revision 3ee880c9

ID3ee880c9b1b812b4bc20162a1059b18699c0d74a
Parent 6f3f9030
Child 3506ba63, 18f28e0a

Added by Bastian Waidelich almost 7 years ago

[BUGFIX] Render Form CSRF token field only if authenticated

Currently ``CSRF`` tokens are only enforced if an account is
authenticated. But the form ViewHelper rendered the corresponding
hidden field for all forms with method != "GET".

Background:

Rendering the hidden field did not have a side effect before but as
CSRF tokens only make sense with an active session,
``Security\Context::getCsrfProtectionToken()`` will be adjusted to start
a session when called. Therefore the token should only be fetched if it's
really required.

Change-Id: I896f6a722445deede1f0a656ea73db04f0d2e978
Related: FLOW-130
Releases: master, 2.3, 2.2, 2.1

  • added
  • modified
  • copied
  • renamed
  • deleted