From eb4648972f74f36f195f4e1c9ef00f9873aa51e8 Mon Sep 17 00:00:00 2001 From: Luke Towers Date: Mon, 28 Oct 2019 13:33:07 -0600 Subject: [PATCH] Ensure that the XSRF cookie can always be added to the response, no matter the source of the response --- modules/cms/classes/Controller.php | 30 +++++++++++++++++++++--------- 1 file changed, 21 insertions(+), 9 deletions(-) diff --git a/modules/cms/classes/Controller.php b/modules/cms/classes/Controller.php index ae0198682..5b09fa038 100644 --- a/modules/cms/classes/Controller.php +++ b/modules/cms/classes/Controller.php @@ -136,11 +136,29 @@ class Controller * Finds and serves the requested page. * If the page cannot be found, returns the page with the URL /404. * If the /404 page doesn't exist, returns the system 404 page. + * * If the parameter is omitted, the current URL used. + * * @param string $url Specifies the requested page URL. - * If the parameter is omitted, the current URL used. - * @return string Returns the processed page content. + * @return Response Returns the processed page content. */ public function run($url = '/') + { + $response = $this->runInternal($url); + + if (Config::get('cms.enableCsrfProtection') && $response instanceof \Symfony\Component\HttpFoundation\Response) { + $this->addXsrfCookie($response); + } + + return $response; + } + + /** + * Process the request internally + * + * @param string $url Specifies the requested page URL. + * @return Response Returns the processed page content. + */ + protected function runInternal($url = '/') { if ($url === null) { $url = Request::path(); @@ -266,13 +284,7 @@ class Controller return $result; } - $response = Response::make($result, $this->statusCode); - - if (Config::get('cms.enableCsrfProtection')) { - $this->addXsrfCookie($response); - } - - return $response; + return Response::make($result, $this->statusCode); } /**