Added new security config option cms.enableCsrfProtection

2015-07-04 09:31:28 +10:00 · 2015-07-04 09:31:28 +10:00 · 606892143b
parent 6cf11693b8
commit 606892143b
3 changed files with 22 additions and 8 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -2,6 +2,7 @@
  - List columns now support specifying a `default` option used when the value would otherwise be null.
  - Implement a custom autoloader for plugins that use composer. Now only one instance of composer is used, all packages are now added to a global pool to prevent double loading and the load order is respected.
  - The method signature of `Model::save()` has been fixed to match Eloquent.
+  - Added new security config option `cms.enableCsrfProtection`.

 * **Build 272** (2015-06-27)
  - Protected images and their thumbnails are now supported in the back-end.
--- a/config/cms.php
+++ b/config/cms.php
@ -250,4 +250,16 @@ return [

    'defaultMask' => ['file' => null, 'folder' => null],

+    /*
+    |--------------------------------------------------------------------------
+    | Cross Site Request Forgery (CSRF) Protection
+    |--------------------------------------------------------------------------
+    |
+    | If the CSRF protection is enabled, all "postback" requests are checked
+    | for a valid security token.
+    |
+    */
+
+    'enableCsrfProtection' => false,
+
 ];
--- a/modules/backend/classes/Controller.php
+++ b/modules/backend/classes/Controller.php
@ -6,6 +6,7 @@ use Lang;
 use View;
 use Flash;
 use Event;
+use Config;
 use Request;
 use Backend;
 use Session;
@ -34,9 +35,9 @@ use Illuminate\Http\RedirectResponse;
 */
 class Controller extends Extendable
 {
+    use \System\Traits\ViewMaker;
    use \System\Traits\AssetMaker;
    use \System\Traits\ConfigMaker;
-    use \System\Traits\ViewMaker;
    use \Backend\Traits\WidgetMaker;
    use \October\Rain\Support\Traits\Emitter;

@ -118,11 +119,6 @@ class Controller extends Extendable
     */
    protected $statusCode = 200;

-    /**
-     * @var bool Determine if submission requests use CSRF protection.
-     */
-    public $useSecurityToken = true;
-
    /**
     * Constructor.
     */
@ -176,7 +172,7 @@ class Controller extends Extendable
        /*
         * Check security token.
         */
-        if ($this->useSecurityToken && !$this->verifyCsrfToken()) {
+        if (!$this->verifyCsrfToken()) {
            return Response::make(Lang::get('backend::lang.page.invalid_token.label'), 403);
        }

@ -629,11 +625,16 @@ class Controller extends Extendable

    /**
     * Checks the request data / headers for a valid CSRF token.
-     * Returns false if a valid token is not found.
+     * Returns false if a valid token is not found. Override this
+     * method to disable the check.
     * @return bool
     */
    protected function verifyCsrfToken()
    {
+        if (!Config::get('cms.enableCsrfProtection')) {
+            return true;
+        }
+
        if (in_array(Request::method(), ['HEAD', 'GET', 'OPTIONS'])) {
            return true;
        }