Skip to content

Commit

Permalink
Disable CSRF checks on some most-used forms (#1136)
Browse files Browse the repository at this point in the history
  • Loading branch information
melroy89 authored Sep 20, 2024
1 parent 701388b commit b744109
Show file tree
Hide file tree
Showing 11 changed files with 40 additions and 20 deletions.
3 changes: 2 additions & 1 deletion src/Controller/BoostController.php
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,8 @@ public function __construct(
#[IsGranted('ROLE_USER')]
public function __invoke(VotableInterface $subject, Request $request): Response
{
$this->validateCsrf('boost', $request->getPayload()->get('token'));
// CSRF is causing a lot of issues, so we disable it for now. See PR: https://github.com/MbinOrg/mbin/pull/1136
// $this->validateCsrf('boost', $request->getPayload()->get('token'));

$this->manager->vote(VotableInterface::VOTE_UP, $subject, $this->getUserOrThrow());

Expand Down
6 changes: 4 additions & 2 deletions src/Controller/Domain/DomainBlockController.php
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,8 @@ public function __construct(
#[IsGranted('ROLE_USER')]
public function block(Domain $domain, Request $request): Response
{
$this->validateCsrf('block', $request->getPayload()->get('token'));
// CSRF is causing a lot of issues, so we disable it for now. See PR: https://github.com/MbinOrg/mbin/pull/1136
// $this->validateCsrf('block', $request->getPayload()->get('token'));

$this->manager->block($domain, $this->getUserOrThrow());

Expand All @@ -36,7 +37,8 @@ public function block(Domain $domain, Request $request): Response
#[IsGranted('ROLE_USER')]
public function unblock(Domain $domain, Request $request): Response
{
$this->validateCsrf('block', $request->getPayload()->get('token'));
// CSRF is causing a lot of issues, so we disable it for now. See PR: https://github.com/MbinOrg/mbin/pull/1136
// $this->validateCsrf('block', $request->getPayload()->get('token'));

$this->manager->unblock($domain, $this->getUserOrThrow());

Expand Down
6 changes: 4 additions & 2 deletions src/Controller/Domain/DomainSubController.php
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,8 @@ public function __construct(
#[IsGranted('ROLE_USER')]
public function subscribe(Domain $domain, Request $request): Response
{
$this->validateCsrf('subscribe', $request->getPayload()->get('token'));
// CSRF is causing a lot of issues, so we disable it for now. See PR: https://github.com/MbinOrg/mbin/pull/1136
// $this->validateCsrf('subscribe', $request->getPayload()->get('token'));

$this->manager->subscribe($domain, $this->getUserOrThrow());

Expand All @@ -36,7 +37,8 @@ public function subscribe(Domain $domain, Request $request): Response
#[IsGranted('ROLE_USER')]
public function unsubscribe(Domain $domain, Request $request): Response
{
$this->validateCsrf('subscribe', $request->getPayload()->get('token'));
// CSRF is causing a lot of issues, so we disable it for now. See PR: https://github.com/MbinOrg/mbin/pull/1136
// $this->validateCsrf('subscribe', $request->getPayload()->get('token'));

$this->manager->unsubscribe($domain, $this->getUserOrThrow());

Expand Down
3 changes: 2 additions & 1 deletion src/Controller/FavouriteController.php
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,8 @@ public function __construct(private readonly GenerateHtmlClassService $classServ
#[IsGranted('ROLE_USER')]
public function __invoke(FavouriteInterface $subject, Request $request, FavouriteManager $manager): Response
{
$this->validateCsrf('up_vote', $request->getPayload()->get('token'));
// CSRF is causing a lot of issues, so we disable it for now. See PR: https://github.com/MbinOrg/mbin/pull/1136
// $this->validateCsrf('up_vote', $request->getPayload()->get('token'));

$manager->toggle($this->getUserOrThrow(), $subject);

Expand Down
6 changes: 4 additions & 2 deletions src/Controller/Magazine/MagazineBlockController.php
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,8 @@ public function __construct(private readonly MagazineManager $manager)
#[IsGranted('block', subject: 'magazine')]
public function block(Magazine $magazine, Request $request): Response
{
$this->validateCsrf('block', $request->getPayload()->get('token'));
// CSRF is causing a lot of issues, so we disable it for now. See PR: https://github.com/MbinOrg/mbin/pull/1136
// $this->validateCsrf('block', $request->getPayload()->get('token'));

$this->manager->block($magazine, $this->getUserOrThrow());

Expand All @@ -37,7 +38,8 @@ public function block(Magazine $magazine, Request $request): Response
#[IsGranted('block', subject: 'magazine')]
public function unblock(Magazine $magazine, Request $request): Response
{
$this->validateCsrf('block', $request->getPayload()->get('token'));
// CSRF is causing a lot of issues, so we disable it for now. See PR: https://github.com/MbinOrg/mbin/pull/1136
// $this->validateCsrf('block', $request->getPayload()->get('token'));

$this->manager->unblock($magazine, $this->getUserOrThrow());

Expand Down
6 changes: 4 additions & 2 deletions src/Controller/Magazine/MagazineSubController.php
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,8 @@ public function __construct(private readonly MagazineManager $manager)
#[IsGranted('subscribe', subject: 'magazine')]
public function subscribe(Magazine $magazine, Request $request): Response
{
$this->validateCsrf('subscribe', $request->getPayload()->get('token'));
// CSRF is causing a lot of issues, so we disable it for now. See PR: https://github.com/MbinOrg/mbin/pull/1136
// $this->validateCsrf('subscribe', $request->getPayload()->get('token'));

$this->manager->subscribe($magazine, $this->getUserOrThrow());

Expand All @@ -37,7 +38,8 @@ public function subscribe(Magazine $magazine, Request $request): Response
#[IsGranted('subscribe', subject: 'magazine')]
public function unsubscribe(Magazine $magazine, Request $request): Response
{
$this->validateCsrf('subscribe', $request->getPayload()->get('token'));
// CSRF is causing a lot of issues, so we disable it for now. See PR: https://github.com/MbinOrg/mbin/pull/1136
// $this->validateCsrf('subscribe', $request->getPayload()->get('token'));

$this->manager->unsubscribe($magazine, $this->getUserOrThrow());

Expand Down
9 changes: 6 additions & 3 deletions src/Controller/Post/PostDeleteController.php
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,8 @@ public function delete(
Post $post,
Request $request
): Response {
$this->validateCsrf('post_delete', $request->getPayload()->get('token'));
// CSRF is causing a lot of issues, so we disable it for now. See PR: https://github.com/MbinOrg/mbin/pull/1136
// $this->validateCsrf('post_delete', $request->getPayload()->get('token'));

$this->manager->delete($this->getUserOrThrow(), $post);

Expand All @@ -44,7 +45,8 @@ public function restore(
Post $post,
Request $request
): Response {
$this->validateCsrf('post_restore', $request->getPayload()->get('token'));
// CSRF is causing a lot of issues, so we disable it for now. See PR: https://github.com/MbinOrg/mbin/pull/1136
// $this->validateCsrf('post_restore', $request->getPayload()->get('token'));

$this->manager->restore($this->getUserOrThrow(), $post);

Expand All @@ -60,7 +62,8 @@ public function purge(
Post $post,
Request $request
): Response {
$this->validateCsrf('post_purge', $request->getPayload()->get('token'));
// CSRF is causing a lot of issues, so we disable it for now. See PR: https://github.com/MbinOrg/mbin/pull/1136
// $this->validateCsrf('post_purge', $request->getPayload()->get('token'));

$this->manager->purge($this->getUserOrThrow(), $post);

Expand Down
6 changes: 4 additions & 2 deletions src/Controller/User/Profile/UserNotificationController.php
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,8 @@ public function notifications(NotificationRepository $repository, Request $reque
#[IsGranted('ROLE_USER')]
public function read(NotificationManager $manager, Request $request): Response
{
$this->validateCsrf('read_notifications', $request->getPayload()->get('token'));
// CSRF is causing a lot of issues, so we disable it for now. See PR: https://github.com/MbinOrg/mbin/pull/1136
// $this->validateCsrf('read_notifications', $request->getPayload()->get('token'));

$manager->markAllAsRead($this->getUserOrThrow());

Expand All @@ -39,7 +40,8 @@ public function read(NotificationManager $manager, Request $request): Response
#[IsGranted('ROLE_USER')]
public function clear(NotificationManager $manager, Request $request): Response
{
$this->validateCsrf('clear_notifications', $request->getPayload()->get('token'));
// CSRF is causing a lot of issues, so we disable it for now. See PR: https://github.com/MbinOrg/mbin/pull/1136
// $this->validateCsrf('clear_notifications', $request->getPayload()->get('token'));

$manager->clear($this->getUserOrThrow());

Expand Down
6 changes: 4 additions & 2 deletions src/Controller/User/UserBlockController.php
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,8 @@ class UserBlockController extends AbstractController
#[IsGranted('ROLE_USER')]
public function block(User $blocked, UserManager $manager, Request $request): Response
{
$this->validateCsrf('block', $request->getPayload()->get('token'));
// CSRF is causing a lot of issues, so we disable it for now. See PR: https://github.com/MbinOrg/mbin/pull/1136
// $this->validateCsrf('block', $request->getPayload()->get('token'));

$manager->block($this->getUserOrThrow(), $blocked);

Expand All @@ -31,7 +32,8 @@ public function block(User $blocked, UserManager $manager, Request $request): Re
#[IsGranted('ROLE_USER')]
public function unblock(User $blocked, UserManager $manager, Request $request): Response
{
$this->validateCsrf('block', $request->getPayload()->get('token'));
// CSRF is causing a lot of issues, so we disable it for now. See PR: https://github.com/MbinOrg/mbin/pull/1136
// $this->validateCsrf('block', $request->getPayload()->get('token'));

$manager->unblock($this->getUserOrThrow(), $blocked);

Expand Down
6 changes: 4 additions & 2 deletions src/Controller/User/UserFollowController.php
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,8 @@ class UserFollowController extends AbstractController
#[IsGranted('follow', subject: 'following')]
public function follow(User $following, UserManager $manager, Request $request): Response
{
$this->validateCsrf('follow', $request->getPayload()->get('token'));
// CSRF is causing a lot of issues, so we disable it for now. See PR: https://github.com/MbinOrg/mbin/pull/1136
// $this->validateCsrf('follow', $request->getPayload()->get('token'));

$manager->follow($this->getUserOrThrow(), $following);

Expand All @@ -33,7 +34,8 @@ public function follow(User $following, UserManager $manager, Request $request):
#[IsGranted('follow', subject: 'following')]
public function unfollow(User $following, UserManager $manager, Request $request): Response
{
$this->validateCsrf('follow', $request->getPayload()->get('token'));
// CSRF is causing a lot of issues, so we disable it for now. See PR: https://github.com/MbinOrg/mbin/pull/1136
// $this->validateCsrf('follow', $request->getPayload()->get('token'));

$manager->unfollow($this->getUserOrThrow(), $following);

Expand Down
3 changes: 2 additions & 1 deletion src/Controller/VoteController.php
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,8 @@ public function __construct(
#[IsGranted('vote', subject: 'votable')]
public function __invoke(VotableInterface $votable, int $choice, Request $request): Response
{
$this->validateCsrf('down_vote', $request->getPayload()->get('token'));
// CSRF is causing a lot of issues, so we disable it for now. See PR: https://github.com/MbinOrg/mbin/pull/1136
// $this->validateCsrf('down_vote', $request->getPayload()->get('token'));
if (VotableInterface::VOTE_DOWN === $choice && DownvotesMode::Disabled === $this->settingsManager->getDownvotesMode()) {
throw new BadRequestException('Downvotes are disabled!');
}
Expand Down

0 comments on commit b744109

Please sign in to comment.