Skip to content

CSRF protection: restrict to RestApi namespace

Fridtjof requested to merge content-csrf-fix into master

Closes #1781 (closed)

What does this MR do?

The CSRF protection through CsrfListener was implemented when our REST API was the only piece of code actually running through Symfony. Therefore, it was never meant to act upon any Control/Xhr/XhrApp code.

When I moved everything over to run through Symfony, I added a DisableCsrfProtection annotation to the new entry points so it would not break POST requests for e.g. forms. Forms can't have custom headers, so our way of doing CSRF protection could never work for them anyway.

Now that we're starting to move from our own controller structure to going directly through Symfony, this has come up again with issues like #1781 (closed).

To avoid slapping DisableCsrfProtection on everything, I've changed CsrfListener to only care about the Foodsharing\RestApi namespace.

This also makes the annotations on our legacy entrypoints obsolete, which I've removed as well.

How confident are you it won't break things if deployed?

no behavior is changed, merely inverted it to explicitly include only the RestApi instead of excluding everything else manually.

Links to related issues

#1781 (closed)

How to test

Test if submitting http://localhost:18080/content?a=edit&id=87 works now. previously, it would yield a 400 code with a CSRF error message

Screenshots (if applicable)

Checklist

  • added a test, or explain why one is not needed/possible...
  • no unrelated changes
  • asked someone for a code review
  • set a "for:" label to indicate who will be affected by this change
  • added to the next milestone (see https://gitlab.com/foodsharing-dev/foodsharing/-/milestones, unless it has a "for:Dev" label)
  • added an entry to CHANGELOG.md
  • added a short text in the release notes to /release-notes/YYYY-MM.md
  • Once your MR has been merged, you are responsible to create a testing issue in the Beta Testing forum: https://foodsharing.de/region?bid=734&sub=forum. Please change the MRs label to "state:Beta testing".
    • Consider writing a detailed description in German.
    • Describe in a few sentences, what should be tested from a user perspective.
    • Also mention different settings (e.g. different browsers, roles, ...) how this change can be tested.
    • Be aware, that also non technical people should understand.
Edited by Fridtjof

Merge request reports