[Flow] Can't update abstract models anymore
Bastian Waidelich
bastian at typo3.org
Fri May 3 10:23:25 CEST 2013
Steffen Wickham wrote:
Hey Steffen,
> Is the csrf token used
> anymore and if yes, where is it used?
Yes, it's still used for all "unsafe" HTTP methods (POST, PUT, DELETE, ...).
You can see this in the code & documentation changes of
https://review.typo3.org/#/c/19989/
> Even for policy protected methods (e.g. new/edit methods) they are
> disabled right now.... :-/
The CSRF token should primarily prevent you from changing an application
state (e.g. removing/updating db records) only by clicking a link.
new and edit actions usually *don't* change the state of your
application, they simply display a form and you can call the action
multiple times without side effects.
The *create* / *update* actions in contrast usually write changes to
your persistence layer. Of course the action names are just a convention
– if your newAction updates a model you need to call it via POST
(preferably) or persist changes manually.
> I think it is important to add these behaviour to Uri ViewHelper
> as well as many people will use AJAX to transfer data.
It used to be like this before, but we had a lot of trouble with it.
See Roberts blog post [1] for more details.
Re AJAX: Just make sure your AJAX calls that are not readonly must not
use an unsafe HTTP method (GET/HEAD) and it should contain a CSRF token.
There's a brand new Fluid ViewHelper that will help you [2].
Last but not least you might be interested about a similar request to
yours on forge: http://forge.typo3.org/issues/47551
HTH
[1]
http://robertlemke.com/en/blog/no-more-csrf-hassles-safe-requests-in-typo3-flow-2-0.html
[2]
https://review.typo3.org/#/c/20064/2/Classes/TYPO3/Fluid/ViewHelpers/Security/CsrfTokenViewHelper.php
--
Bastian Waidelich
--
Core Developer Team
TYPO3 .... inspiring people to share!
Get involved: typo3.org
More information about the Flow
mailing list