diff options
| author | Greg Roach <fisharebest@webtrees.net> | 2019-03-09 10:26:19 +0000 |
|---|---|---|
| committer | Greg Roach <fisharebest@webtrees.net> | 2019-03-09 10:26:19 +0000 |
| commit | ba8e6c183f9d611b5fcf1e57eeebc5c1fd30aa31 (patch) | |
| tree | 5bae81c2b5d2a43836f04791d15b2637920f66a7 /app/Http | |
| parent | ed9ba4389b0f69fb5ddb0d722a689661716fd967 (diff) | |
| download | webtrees-ba8e6c183f9d611b5fcf1e57eeebc5c1fd30aa31.tar.gz webtrees-ba8e6c183f9d611b5fcf1e57eeebc5c1fd30aa31.tar.bz2 webtrees-ba8e6c183f9d611b5fcf1e57eeebc5c1fd30aa31.zip | |
Do not check CSRF tokens when changing language/theme
Diffstat (limited to 'app/Http')
| -rw-r--r-- | app/Http/Middleware/CheckCsrf.php | 10 |
1 files changed, 9 insertions, 1 deletions
diff --git a/app/Http/Middleware/CheckCsrf.php b/app/Http/Middleware/CheckCsrf.php index 7159ce8d63..06b8d579c9 100644 --- a/app/Http/Middleware/CheckCsrf.php +++ b/app/Http/Middleware/CheckCsrf.php @@ -25,12 +25,18 @@ use Symfony\Component\HttpFoundation\RedirectResponse; use Symfony\Component\HttpFoundation\Request; use Symfony\Component\HttpFoundation\Response; use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException; +use function in_array; /** * Middleware to wrap a request in a transaction. */ class CheckCsrf implements MiddlewareInterface { + private const EXCLUDE_ROUTES = [ + 'language', + 'theme', + ]; + /** * @param Request $request * @param Closure $next @@ -40,10 +46,12 @@ class CheckCsrf implements MiddlewareInterface */ public function handle(Request $request, Closure $next): Response { + $route = $request->get('route'); + $client_token = $request->get('csrf', $request->headers->get('X_CSRF_TOKEN')); $session_token = Session::get('CSRF_TOKEN'); - if ($client_token !== $session_token) { + if ($client_token !== $session_token && !in_array($route, self::EXCLUDE_ROUTES, true)) { FlashMessages::addMessage(I18N::translate('This form has expired. Try again.')); return new RedirectResponse($request->getRequestUri()); |
