Fixes T4339. If you're anonymous, we use a digest of your session key to generate a CSRF token. Otherwise, everything works normally.
Details
Details
- Reviewers
btrahan - Maniphest Tasks
- T4339: Support CSRF for logged-out users
- Commits
- Restricted Diffusion Commit
rPf9ac534f255d: Support CSRF for logged-out users
Logged out, logged in, tweaked CSRF in forms -- I'll add some inlines.
Diff Detail
Diff Detail
- Branch
- csrf5
- Lint
Lint Passed Severity Location Code Message Advice src/aphront/AphrontRequest.php:244 XHP16 TODO Comment - Unit
Tests Passed
Event Timeline
| src/aphront/AphrontRequest.php | ||
|---|---|---|
| 227–230 | All these changes are just pht() / usability. I've made the error messages a little more user-focused. | |
| src/applications/auth/provider/PhabricatorAuthProviderPassword.php | ||
| 189 | This was incorrect before, but didn't get caught by CSRF because the user is always logged out. | |
| 195 | This is overly aggressive now that we have anonymous sessions. | |
| src/applications/base/controller/PhabricatorController.php | ||
| 47–54 | I moved this from StandardPageView because we need the token to exist before we can render forms, so it has to happen on every page. That's fine, and probably cleaner, since we have session code in fewer places now. | |
| 56–58 | "If the user isn't logged in, hash their anonymous session and use it to generate CSRF tokens." | |
| src/applications/people/storage/PhabricatorUser.php | ||
| 287–291 | "If the user is logged in, use normal stuff. Otherwise, use the alternate base string." | |
| src/view/page/PhabricatorStandardPageView.php | ||
| 166–175 | This moved to user stuff. | |