Added new security config option cms.enableCsrfProtection

daftspunk · daftspunk · commit 606892143bb5 · 2015-07-04T09:31:28.000+10:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,6 +2,7 @@
   - List columns now support specifying a `default` option used when the value would otherwise be null.
   - Implement a custom autoloader for plugins that use composer. Now only one instance of composer is used, all packages are now added to a global pool to prevent double loading and the load order is respected.
   - The method signature of `Model::save()` has been fixed to match Eloquent.
+  - Added new security config option `cms.enableCsrfProtection`.
 
 * **Build 272** (2015-06-27)
   - Protected images and their thumbnails are now supported in the back-end.
diff --git a/config/cms.php b/config/cms.php
@@ -250,4 +250,16 @@
 
     'defaultMask' => ['file' => null, 'folder' => null],
 
+    /*
+    |--------------------------------------------------------------------------
+    | Cross Site Request Forgery (CSRF) Protection
+    |--------------------------------------------------------------------------
+    |
+    | If the CSRF protection is enabled, all "postback" requests are checked
+    | for a valid security token.
+    |
+    */
+
+    'enableCsrfProtection' => false,
+
 ];
diff --git a/modules/backend/classes/Controller.php b/modules/backend/classes/Controller.php
@@ -6,6 +6,7 @@
 use View;
 use Flash;
 use Event;
+use Config;
 use Request;
 use Backend;
 use Session;
@@ -34,9 +35,9 @@
  */
 class Controller extends Extendable
 {
+    use \System\Traits\ViewMaker;
     use \System\Traits\AssetMaker;
     use \System\Traits\ConfigMaker;
-    use \System\Traits\ViewMaker;
     use \Backend\Traits\WidgetMaker;
     use \October\Rain\Support\Traits\Emitter;
 
@@ -118,11 +119,6 @@ class Controller extends Extendable
      */
     protected $statusCode = 200;
 
-    /**
-     * @var bool Determine if submission requests use CSRF protection.
-     */
-    public $useSecurityToken = true;
-
     /**
      * Constructor.
      */
@@ -176,7 +172,7 @@ public function run($action = null, $params = [])
         /*
          * Check security token.
          */
-        if ($this->useSecurityToken && !$this->verifyCsrfToken()) {
+        if (!$this->verifyCsrfToken()) {
             return Response::make(Lang::get('backend::lang.page.invalid_token.label'), 403);
         }
 
@@ -629,11 +625,16 @@ public function isBackendHintHidden($name)
 
     /**
      * Checks the request data / headers for a valid CSRF token.
-     * Returns false if a valid token is not found.
+     * Returns false if a valid token is not found. Override this
+     * method to disable the check.
      * @return bool
      */
     protected function verifyCsrfToken()
     {
+        if (!Config::get('cms.enableCsrfProtection')) {
+            return true;
+        }
+
         if (in_array(Request::method(), ['HEAD', 'GET', 'OPTIONS'])) {
             return true;
         }
