Bug #31294

SkipCsrfProtection doesn't work for actions without parameters anymore

Added by Martin Brüggemann almost 4 years ago. Updated over 3 years ago.

Status:Closed Start date:2011-10-25
Priority:Must have Due date:
Assigned To:Karsten Dambekalns % Done:

100%
Category:Security
Target version:TYPO3 Flow Base Distribution - 1.1 beta 1
PHP Version: Complexity:
Has patch:No Affected Flow version:FLOW3 1.0.0

Description

I tried to use the @FLOW3\SkipCsrfProtection with the following indexAction:

        /**
     * List action for this controller.
     * @return string
     * @FLOW3\SkipCsrfProtection
     */
    public function indexAction() {

    }

Unfortunately this doesn't work anymore. It works again if I add a dummy parameter like this:

        /**
     * List action for this controller.
     * @return string
     * @FLOW3\SkipCsrfProtection
     */
    public function indexAction($bernd = 'katze') {

    }

Maybe it's a small fix to change FLOW3s @DoctrineAnnotation\Target in Annotations\SkipCsrfProtection.php from "METHOD" to "PROPERTY" like this:

<?php
namespace TYPO3\FLOW3\Annotations;

/*                                                                        *
 * This script belongs to the FLOW3 framework.                            *
 *                                                                        *
 * It is free software; you can redistribute it and/or modify it under    *
 * the terms of the GNU Lesser General Public License, either version 3   *
 * of the License, or (at your option) any later version.                 *
 *                                                                        *
 * The TYPO3 project - inspiring people to share!                         *
 *                                                                        */

use Doctrine\Common\Annotations\Annotation as DoctrineAnnotation;

/**
 * @Annotation
 * @DoctrineAnnotation\Target("PROPERTY")
 */
final class SkipCsrfProtection {}

?>

But I'm not deep enough into this annotation stuff to imagine any side effects :)

History

#1 Updated by Karsten Dambekalns almost 4 years ago

  • Status changed from New to Accepted

The target annotation declares the annotation target, and that is clearly method in this case (as the annotation is to be added in a method's docblock). So there must be something else.

#2 Updated by Martin Brüggemann over 3 years ago

I updated my FLOW3 Package to the latest trunk and everything works fine now. You can close this ticket. Don't know exactly what has fixed the error but @FLOW3\SkipCsrfProtection works, now!

#3 Updated by Karsten Dambekalns over 3 years ago

  • Status changed from Accepted to Closed
  • % Done changed from 0 to 100

Great!

#4 Updated by Karsten Dambekalns over 3 years ago

  • Target version changed from 1.1 to 1.1 beta 1

Also available in: Atom PDF