Disabling CSRF on a specific action CakePHP 3

后端 未结 4 1345
孤独总比滥情好
孤独总比滥情好 2021-01-06 18:38

So, I have a table that is auto-generated using DataTables. An action in my CakePHP grabs the data for that table, and formats it into JSON for datatables to use, this is th

相关标签:
4条回答
  • 2021-01-06 19:06

    Above answer does not work in Cakephp 3.6 or later.

    Cakephp add object of CsrfProtectionMiddleware in src/Application.php. If you have to remove CSRF protection for specific controller or action then you can use following work around:

    public function middleware($middlewareQueue)
    {
        $middlewareQueue = $middlewareQueue
            // Catch any exceptions in the lower layers,
            // and make an error page/response
            ->add(ErrorHandlerMiddleware::class)
    
            // Handle plugin/theme assets like CakePHP normally does.
            ->add(AssetMiddleware::class)
    
            // Add routing middleware.
            // Routes collection cache enabled by default, to disable route caching
            // pass null as cacheConfig, example: `new RoutingMiddleware($this)`
            // you might want to disable this cache in case your routing is extremely simple
            ->add(new RoutingMiddleware($this, '_cake_routes_'));
            /*
            // Add csrf middleware.
            $middlewareQueue->add(new CsrfProtectionMiddleware([
                'httpOnly' => true
            ]));
            */
        //CSRF has been removed for AbcQutes controller
        if(strpos($_SERVER['REQUEST_URI'], 'abc-quotes')===false){
            $middlewareQueue->add(new CsrfProtectionMiddleware([
                'httpOnly' => true
            ]));
        }
        return $middlewareQueue;
    }
    
    0 讨论(0)
  • 2021-01-06 19:10

    in Application.php this worked for me....

        $csrf = new CsrfProtectionMiddleware();
        
        // Token check will be skipped when callback returns `true`.
        $csrf->whitelistCallback(function ($request) {
        // Skip token check for API URLs.
          if ($request->getParam('controller') === 'Api') {
              return true;
          } 
    
        });
    
    0 讨论(0)
  • 2021-01-06 19:12

    So i needed a fix for cakephp 3.7 and using $_SERVER['REQUEST_URI'] is realllly not the way to go here. So here is how you are supposed to do it after reading through some documentation.

    In src/Application.php add this function

    public function routes($routes)
    {
        $options = ['httpOnly' => true];
        $routes->registerMiddleware('csrf', new CsrfProtectionMiddleware($options));
        parent::routes($routes);
    }
    

    Comment out the existing CsrfProtectionMiddleware

    public function middleware($middlewareQueue)
    { 
      ...
      //            $middlewareQueue->add(new CsrfProtectionMiddleware([
      //                'httpOnly' => true
      //            ]));
    }
    

    Open your config/routes.php add $routes->applyMiddleware('csrf'); where you do want it

    Router::prefix('api', function ($routes)
    {
      $routes->connect('/', ['controller' => 'Pages', 'action' => 'index']);
      $routes->fallbacks(DashedRoute::class);
    });
    
    Router::scope('/', function (RouteBuilder $routes)
    {
      $routes->applyMiddleware('csrf');
      $routes->connect('/', ['controller' => 'Pages', 'action' => 'dashboard']);
      $routes->fallbacks(DashedRoute::class);
    });
    

    Note that my api user now has no csrf protection while the basic calls do have it. If you have more prefixes don't forgot to add the function there aswell.

    0 讨论(0)
  • 2021-01-06 19:15

    read all about the CSRF component here

    http://book.cakephp.org/3.0/en/controllers/components/csrf.html

    you can disable for a specific action here:

    http://book.cakephp.org/3.0/en/controllers/components/csrf.html#disabling-the-csrf-component-for-specific-actions

     public function beforeFilter(Event $event) {
         if (in_array($this->request->action, ['actions_you want to disable'])) {
             $this->eventManager()->off($this->Csrf);
         }
     }
    
    0 讨论(0)
提交回复
热议问题