From b744109f68a04c39542a61cb47ab0fbf389fcf9f Mon Sep 17 00:00:00 2001 From: Melroy van den Berg Date: Fri, 20 Sep 2024 16:48:39 +0200 Subject: [PATCH] Disable CSRF checks on some most-used forms (#1136) --- src/Controller/BoostController.php | 3 ++- src/Controller/Domain/DomainBlockController.php | 6 ++++-- src/Controller/Domain/DomainSubController.php | 6 ++++-- src/Controller/FavouriteController.php | 3 ++- src/Controller/Magazine/MagazineBlockController.php | 6 ++++-- src/Controller/Magazine/MagazineSubController.php | 6 ++++-- src/Controller/Post/PostDeleteController.php | 9 ++++++--- .../User/Profile/UserNotificationController.php | 6 ++++-- src/Controller/User/UserBlockController.php | 6 ++++-- src/Controller/User/UserFollowController.php | 6 ++++-- src/Controller/VoteController.php | 3 ++- 11 files changed, 40 insertions(+), 20 deletions(-) diff --git a/src/Controller/BoostController.php b/src/Controller/BoostController.php index 582829cc5..75284d737 100644 --- a/src/Controller/BoostController.php +++ b/src/Controller/BoostController.php @@ -23,7 +23,8 @@ public function __construct( #[IsGranted('ROLE_USER')] public function __invoke(VotableInterface $subject, Request $request): Response { - $this->validateCsrf('boost', $request->getPayload()->get('token')); + // CSRF is causing a lot of issues, so we disable it for now. See PR: https://github.com/MbinOrg/mbin/pull/1136 + // $this->validateCsrf('boost', $request->getPayload()->get('token')); $this->manager->vote(VotableInterface::VOTE_UP, $subject, $this->getUserOrThrow()); diff --git a/src/Controller/Domain/DomainBlockController.php b/src/Controller/Domain/DomainBlockController.php index 35e50b477..67462ec90 100644 --- a/src/Controller/Domain/DomainBlockController.php +++ b/src/Controller/Domain/DomainBlockController.php @@ -22,7 +22,8 @@ public function __construct( #[IsGranted('ROLE_USER')] public function block(Domain $domain, Request $request): Response { - $this->validateCsrf('block', $request->getPayload()->get('token')); + // CSRF is causing a lot of issues, so we disable it for now. See PR: https://github.com/MbinOrg/mbin/pull/1136 + // $this->validateCsrf('block', $request->getPayload()->get('token')); $this->manager->block($domain, $this->getUserOrThrow()); @@ -36,7 +37,8 @@ public function block(Domain $domain, Request $request): Response #[IsGranted('ROLE_USER')] public function unblock(Domain $domain, Request $request): Response { - $this->validateCsrf('block', $request->getPayload()->get('token')); + // CSRF is causing a lot of issues, so we disable it for now. See PR: https://github.com/MbinOrg/mbin/pull/1136 + // $this->validateCsrf('block', $request->getPayload()->get('token')); $this->manager->unblock($domain, $this->getUserOrThrow()); diff --git a/src/Controller/Domain/DomainSubController.php b/src/Controller/Domain/DomainSubController.php index 18107f5b2..5e06810d5 100644 --- a/src/Controller/Domain/DomainSubController.php +++ b/src/Controller/Domain/DomainSubController.php @@ -22,7 +22,8 @@ public function __construct( #[IsGranted('ROLE_USER')] public function subscribe(Domain $domain, Request $request): Response { - $this->validateCsrf('subscribe', $request->getPayload()->get('token')); + // CSRF is causing a lot of issues, so we disable it for now. See PR: https://github.com/MbinOrg/mbin/pull/1136 + // $this->validateCsrf('subscribe', $request->getPayload()->get('token')); $this->manager->subscribe($domain, $this->getUserOrThrow()); @@ -36,7 +37,8 @@ public function subscribe(Domain $domain, Request $request): Response #[IsGranted('ROLE_USER')] public function unsubscribe(Domain $domain, Request $request): Response { - $this->validateCsrf('subscribe', $request->getPayload()->get('token')); + // CSRF is causing a lot of issues, so we disable it for now. See PR: https://github.com/MbinOrg/mbin/pull/1136 + // $this->validateCsrf('subscribe', $request->getPayload()->get('token')); $this->manager->unsubscribe($domain, $this->getUserOrThrow()); diff --git a/src/Controller/FavouriteController.php b/src/Controller/FavouriteController.php index 28ba605a6..2834255cb 100644 --- a/src/Controller/FavouriteController.php +++ b/src/Controller/FavouriteController.php @@ -21,7 +21,8 @@ public function __construct(private readonly GenerateHtmlClassService $classServ #[IsGranted('ROLE_USER')] public function __invoke(FavouriteInterface $subject, Request $request, FavouriteManager $manager): Response { - $this->validateCsrf('up_vote', $request->getPayload()->get('token')); + // CSRF is causing a lot of issues, so we disable it for now. See PR: https://github.com/MbinOrg/mbin/pull/1136 + // $this->validateCsrf('up_vote', $request->getPayload()->get('token')); $manager->toggle($this->getUserOrThrow(), $subject); diff --git a/src/Controller/Magazine/MagazineBlockController.php b/src/Controller/Magazine/MagazineBlockController.php index 0d18e49fc..ad1972da1 100644 --- a/src/Controller/Magazine/MagazineBlockController.php +++ b/src/Controller/Magazine/MagazineBlockController.php @@ -22,7 +22,8 @@ public function __construct(private readonly MagazineManager $manager) #[IsGranted('block', subject: 'magazine')] public function block(Magazine $magazine, Request $request): Response { - $this->validateCsrf('block', $request->getPayload()->get('token')); + // CSRF is causing a lot of issues, so we disable it for now. See PR: https://github.com/MbinOrg/mbin/pull/1136 + // $this->validateCsrf('block', $request->getPayload()->get('token')); $this->manager->block($magazine, $this->getUserOrThrow()); @@ -37,7 +38,8 @@ public function block(Magazine $magazine, Request $request): Response #[IsGranted('block', subject: 'magazine')] public function unblock(Magazine $magazine, Request $request): Response { - $this->validateCsrf('block', $request->getPayload()->get('token')); + // CSRF is causing a lot of issues, so we disable it for now. See PR: https://github.com/MbinOrg/mbin/pull/1136 + // $this->validateCsrf('block', $request->getPayload()->get('token')); $this->manager->unblock($magazine, $this->getUserOrThrow()); diff --git a/src/Controller/Magazine/MagazineSubController.php b/src/Controller/Magazine/MagazineSubController.php index 66ac93d1c..1a5d0a4c4 100644 --- a/src/Controller/Magazine/MagazineSubController.php +++ b/src/Controller/Magazine/MagazineSubController.php @@ -22,7 +22,8 @@ public function __construct(private readonly MagazineManager $manager) #[IsGranted('subscribe', subject: 'magazine')] public function subscribe(Magazine $magazine, Request $request): Response { - $this->validateCsrf('subscribe', $request->getPayload()->get('token')); + // CSRF is causing a lot of issues, so we disable it for now. See PR: https://github.com/MbinOrg/mbin/pull/1136 + // $this->validateCsrf('subscribe', $request->getPayload()->get('token')); $this->manager->subscribe($magazine, $this->getUserOrThrow()); @@ -37,7 +38,8 @@ public function subscribe(Magazine $magazine, Request $request): Response #[IsGranted('subscribe', subject: 'magazine')] public function unsubscribe(Magazine $magazine, Request $request): Response { - $this->validateCsrf('subscribe', $request->getPayload()->get('token')); + // CSRF is causing a lot of issues, so we disable it for now. See PR: https://github.com/MbinOrg/mbin/pull/1136 + // $this->validateCsrf('subscribe', $request->getPayload()->get('token')); $this->manager->unsubscribe($magazine, $this->getUserOrThrow()); diff --git a/src/Controller/Post/PostDeleteController.php b/src/Controller/Post/PostDeleteController.php index b2f6d0055..1bf5b42b7 100644 --- a/src/Controller/Post/PostDeleteController.php +++ b/src/Controller/Post/PostDeleteController.php @@ -28,7 +28,8 @@ public function delete( Post $post, Request $request ): Response { - $this->validateCsrf('post_delete', $request->getPayload()->get('token')); + // CSRF is causing a lot of issues, so we disable it for now. See PR: https://github.com/MbinOrg/mbin/pull/1136 + // $this->validateCsrf('post_delete', $request->getPayload()->get('token')); $this->manager->delete($this->getUserOrThrow(), $post); @@ -44,7 +45,8 @@ public function restore( Post $post, Request $request ): Response { - $this->validateCsrf('post_restore', $request->getPayload()->get('token')); + // CSRF is causing a lot of issues, so we disable it for now. See PR: https://github.com/MbinOrg/mbin/pull/1136 + // $this->validateCsrf('post_restore', $request->getPayload()->get('token')); $this->manager->restore($this->getUserOrThrow(), $post); @@ -60,7 +62,8 @@ public function purge( Post $post, Request $request ): Response { - $this->validateCsrf('post_purge', $request->getPayload()->get('token')); + // CSRF is causing a lot of issues, so we disable it for now. See PR: https://github.com/MbinOrg/mbin/pull/1136 + // $this->validateCsrf('post_purge', $request->getPayload()->get('token')); $this->manager->purge($this->getUserOrThrow(), $post); diff --git a/src/Controller/User/Profile/UserNotificationController.php b/src/Controller/User/Profile/UserNotificationController.php index 162d56aa1..bd161ec9f 100644 --- a/src/Controller/User/Profile/UserNotificationController.php +++ b/src/Controller/User/Profile/UserNotificationController.php @@ -29,7 +29,8 @@ public function notifications(NotificationRepository $repository, Request $reque #[IsGranted('ROLE_USER')] public function read(NotificationManager $manager, Request $request): Response { - $this->validateCsrf('read_notifications', $request->getPayload()->get('token')); + // CSRF is causing a lot of issues, so we disable it for now. See PR: https://github.com/MbinOrg/mbin/pull/1136 + // $this->validateCsrf('read_notifications', $request->getPayload()->get('token')); $manager->markAllAsRead($this->getUserOrThrow()); @@ -39,7 +40,8 @@ public function read(NotificationManager $manager, Request $request): Response #[IsGranted('ROLE_USER')] public function clear(NotificationManager $manager, Request $request): Response { - $this->validateCsrf('clear_notifications', $request->getPayload()->get('token')); + // CSRF is causing a lot of issues, so we disable it for now. See PR: https://github.com/MbinOrg/mbin/pull/1136 + // $this->validateCsrf('clear_notifications', $request->getPayload()->get('token')); $manager->clear($this->getUserOrThrow()); diff --git a/src/Controller/User/UserBlockController.php b/src/Controller/User/UserBlockController.php index 482e5a514..0ba8568f5 100644 --- a/src/Controller/User/UserBlockController.php +++ b/src/Controller/User/UserBlockController.php @@ -17,7 +17,8 @@ class UserBlockController extends AbstractController #[IsGranted('ROLE_USER')] public function block(User $blocked, UserManager $manager, Request $request): Response { - $this->validateCsrf('block', $request->getPayload()->get('token')); + // CSRF is causing a lot of issues, so we disable it for now. See PR: https://github.com/MbinOrg/mbin/pull/1136 + // $this->validateCsrf('block', $request->getPayload()->get('token')); $manager->block($this->getUserOrThrow(), $blocked); @@ -31,7 +32,8 @@ public function block(User $blocked, UserManager $manager, Request $request): Re #[IsGranted('ROLE_USER')] public function unblock(User $blocked, UserManager $manager, Request $request): Response { - $this->validateCsrf('block', $request->getPayload()->get('token')); + // CSRF is causing a lot of issues, so we disable it for now. See PR: https://github.com/MbinOrg/mbin/pull/1136 + // $this->validateCsrf('block', $request->getPayload()->get('token')); $manager->unblock($this->getUserOrThrow(), $blocked); diff --git a/src/Controller/User/UserFollowController.php b/src/Controller/User/UserFollowController.php index 8a5f19bf1..8ab905ad3 100644 --- a/src/Controller/User/UserFollowController.php +++ b/src/Controller/User/UserFollowController.php @@ -18,7 +18,8 @@ class UserFollowController extends AbstractController #[IsGranted('follow', subject: 'following')] public function follow(User $following, UserManager $manager, Request $request): Response { - $this->validateCsrf('follow', $request->getPayload()->get('token')); + // CSRF is causing a lot of issues, so we disable it for now. See PR: https://github.com/MbinOrg/mbin/pull/1136 + // $this->validateCsrf('follow', $request->getPayload()->get('token')); $manager->follow($this->getUserOrThrow(), $following); @@ -33,7 +34,8 @@ public function follow(User $following, UserManager $manager, Request $request): #[IsGranted('follow', subject: 'following')] public function unfollow(User $following, UserManager $manager, Request $request): Response { - $this->validateCsrf('follow', $request->getPayload()->get('token')); + // CSRF is causing a lot of issues, so we disable it for now. See PR: https://github.com/MbinOrg/mbin/pull/1136 + // $this->validateCsrf('follow', $request->getPayload()->get('token')); $manager->unfollow($this->getUserOrThrow(), $following); diff --git a/src/Controller/VoteController.php b/src/Controller/VoteController.php index f9b5c3635..bc5eeeeda 100644 --- a/src/Controller/VoteController.php +++ b/src/Controller/VoteController.php @@ -30,7 +30,8 @@ public function __construct( #[IsGranted('vote', subject: 'votable')] public function __invoke(VotableInterface $votable, int $choice, Request $request): Response { - $this->validateCsrf('down_vote', $request->getPayload()->get('token')); + // CSRF is causing a lot of issues, so we disable it for now. See PR: https://github.com/MbinOrg/mbin/pull/1136 + // $this->validateCsrf('down_vote', $request->getPayload()->get('token')); if (VotableInterface::VOTE_DOWN === $choice && DownvotesMode::Disabled === $this->settingsManager->getDownvotesMode()) { throw new BadRequestException('Downvotes are disabled!'); }