summaryrefslogtreecommitdiff
path: root/app/Http
diff options
context:
space:
mode:
authorGreg Roach <fisharebest@webtrees.net>2019-03-09 10:26:19 +0000
committerGreg Roach <fisharebest@webtrees.net>2019-03-09 10:26:19 +0000
commitba8e6c183f9d611b5fcf1e57eeebc5c1fd30aa31 (patch)
tree5bae81c2b5d2a43836f04791d15b2637920f66a7 /app/Http
parented9ba4389b0f69fb5ddb0d722a689661716fd967 (diff)
downloadwebtrees-ba8e6c183f9d611b5fcf1e57eeebc5c1fd30aa31.tar.gz
webtrees-ba8e6c183f9d611b5fcf1e57eeebc5c1fd30aa31.tar.bz2
webtrees-ba8e6c183f9d611b5fcf1e57eeebc5c1fd30aa31.zip
Do not check CSRF tokens when changing language/theme
Diffstat (limited to 'app/Http')
-rw-r--r--app/Http/Middleware/CheckCsrf.php10
1 files changed, 9 insertions, 1 deletions
diff --git a/app/Http/Middleware/CheckCsrf.php b/app/Http/Middleware/CheckCsrf.php
index 7159ce8d63..06b8d579c9 100644
--- a/app/Http/Middleware/CheckCsrf.php
+++ b/app/Http/Middleware/CheckCsrf.php
@@ -25,12 +25,18 @@ use Symfony\Component\HttpFoundation\RedirectResponse;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpFoundation\Response;
use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
+use function in_array;
/**
* Middleware to wrap a request in a transaction.
*/
class CheckCsrf implements MiddlewareInterface
{
+ private const EXCLUDE_ROUTES = [
+ 'language',
+ 'theme',
+ ];
+
/**
* @param Request $request
* @param Closure $next
@@ -40,10 +46,12 @@ class CheckCsrf implements MiddlewareInterface
*/
public function handle(Request $request, Closure $next): Response
{
+ $route = $request->get('route');
+
$client_token = $request->get('csrf', $request->headers->get('X_CSRF_TOKEN'));
$session_token = Session::get('CSRF_TOKEN');
- if ($client_token !== $session_token) {
+ if ($client_token !== $session_token && !in_array($route, self::EXCLUDE_ROUTES, true)) {
FlashMessages::addMessage(I18N::translate('This form has expired. Try again.'));
return new RedirectResponse($request->getRequestUri());