fix mvc sample (csrf protection was broken after a forward)

a2262eaf · Ad Schellevis · f1bbc919 · a2262eaf · a2262eaf · a2262eaf
Commit a2262eaf authored Feb 23, 2015 by Ad Schellevis
3 changed files
--- a/src/opnsense/mvc/app/controllers/OPNsense/Base/ControllerBase.php
+++ b/src/opnsense/mvc/app/controllers/OPNsense/Base/ControllerBase.php
@@ -68,35 +68,35 @@ class ControllerBase extends Controller
     */
    public function beforeExecuteRoute($dispatcher)
    {
-        // Authentication
-        // - use authentication of legacy OPNsense.
-        if ($this->session->has("Username") == false) {
-            $this->response->redirect("/", true);
-        }
-        // check for valid csrf on post requests
-        if ($this->request->isPost() && !$this->security->checkToken()) {
-            // post without csrf, exit.
-            return false;
-        }
+        // only handle input validation on first request.
+        if (!$dispatcher->wasForwarded()) {
+            // Authentication
+            // - use authentication of legacy OPNsense.
+            if ($this->session->has("Username") == false) {
+                $this->response->redirect("/", true);
+            }
+            // check for valid csrf on post requests
+            if ($this->request->isPost() && !$this->security->checkToken()) {
+                // post without csrf, exit.
+                return false;
+            }

-        // REST type calls should be implemented by inheriting ApiControllerBase.
-        // because we don't check for csrf on these methods, we want to make sure these aren't used.
-        if ($this->request->isHead() ||
-            $this->request->isPut() ||
-            $this->request->isDelete() ||
-            $this->request->isPatch() ||
-            $this->request->isOptions()) {
-            throw new \Exception('request type not supported');
+            // REST type calls should be implemented by inheriting ApiControllerBase.
+            // because we don't check for csrf on these methods, we want to make sure these aren't used.
+            if ($this->request->isHead() ||
+                $this->request->isPut() ||
+                $this->request->isDelete() ||
+                $this->request->isPatch() ||
+                $this->request->isOptions()) {
+                throw new \Exception('request type not supported');
+            }
        }

-        // include csrf for GET requests.
-        if ($this->request->isGet()) {
-            // inject csrf information
-            $this->view->setVars([
-                'csrf_tokenKey' => $this->security->getTokenKey(),
-                'csrf_token' => $this->security->getToken()
-            ]);
-        }
+        // include csrf for volt view rendering.
+        $this->view->setVars([
+            'csrf_tokenKey' => $this->security->getTokenKey(),
+            'csrf_token' => $this->security->getToken()
+        ]);

        // Execute before every found action
        $this->view->setVar('lang', $this->getTranslator());

--- a/src/opnsense/mvc/app/controllers/OPNsense/Sample/Api/IndexController.php
+++ b/src/opnsense/mvc/app/controllers/OPNsense/Sample/Api/IndexController.php
@@ -41,8 +41,8 @@ class IndexController extends ApiControllerBase
     */
    public function indexAction()
    {
-        if ($this->request->hasPut("message")) {
-            $message = $this->request->getPut("message");
+        if ($this->request->hasPost("message")) {
+            $message = $this->request->getPost("message");
        } else {
            $message = " " ;
        }

--- a/src/opnsense/mvc/app/views/OPNsense/Sample/index.volt
+++ b/src/opnsense/mvc/app/views/OPNsense/Sample/index.volt
@@ -19,14 +19,13 @@ API call result : <div id="msgid"></div>

    $( "#restcall" ).click( function() {
        $.ajax({
-            type: "PUT",
+            type: "POST",
            url: "/api/sample/",
            success: function(data){
                $("#msgid").html( data.message );
            },
            data:{message:$("#msg").val()}
        });
-
    });

 </script>