-
-
Notifications
You must be signed in to change notification settings - Fork 156
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Store the referrer by default in backend
scope
#7227
Conversation
What about the |
|
backend
_scope
backend
scope
Thank you @fritzmg. |
Imho it should be the other way around for safety. i.e. we want to make sure that only the |
What do you mean? The routes now explicitly have |
Before your change the general route definition on all the classes had For the other back end controllers it is not so much of an issue. While they do have a general route definition on their respective classes, they only have one route anyway - which is defined on the |
#7232 fixes the inconsistency. My reasoning is as follows: If an option can be anything or |
The functionality is currently opt-out in general. For the With your change the latter is not the case anymore. If the feature is, for whatever reason, switched to opt-in, the With the original state of this PR you would not have to worry about this. |
If you want it to be opt-in, then please implement it accordingly. It should be |
That's not what I meant. The implementation I did was opt-out, and deliberately so (see description above and discussion in the other issue). My point was that the The point is that we want to ensure that none of the |
The same applies to the The controller/route definition should not care about the default handling of an attribute, if it wants to ensure something. You only need to be concerned about being able to enable or disable the CSRF token check, if you use |
Or look at it this way: let's say we release the current state in Contao 4.13.44 and 5.3.9 respectively. And then it turns out that having this enabled by default for all With the previous state of this PR this would not be necessary. It's about defining things defensively in a forward compatible way and keeping the concerns separate to avoid possible future pitfalls. And my assumption is that @Toflar thought about this similarly when implementing 92ba02e for Contao 4.1.0. |
I have no problems implementing this as an opt-in! But the pull request has implemented it as an opt-out, so just create a new PR and change the implementation. |
You are misunderstanding the point. I do not want this to be opt-in. The recent discussion is about your change which I disagree with (see my comments). |
You did not implement the opt-out pattern correctly, so I fixed it. 🤷♂️ |
Whether the attribute is opt-in or opt-out is solely defined by the implementation in the respective listener. It is not defined by the route definition itself. |
#7190
This implements my opt-out suggestion from #7190 (comment).
Any back end route will now store the referrer by default - but you can opt-out via
_store_referrer: false
in your route defaults/attributes./cc @ameotoko