New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Remove the need for CSRF check on ocs::getCurrentUser #7798
Conversation
Fixes #5694 I tested on my server, and worked like a charm :) I think in term of security it is fine to open this route. What do you think?
Well yes this fixes it but it removes the CSRF protection... also it is not a generic approach we basically need to fix the middleware to not check for CSRF if the bearer auth is set much like the OCS-APIREQUEST header |
The proper fix seems to be #7873 - @pierreozoux could you check if this works for you? |
Yes lets do it in #7873 |
|
@Dagefoerde well yes. However I'm not a fan of multiple hacks to fix the same issue ;) Also since it is not enough for #5694 fixing it properly and making sure if you chose to extend NC support in moodle with other endpoints this just works makes more sense imo :). Looking forward to your review of #7873, THNX :) |
Regardless, for my (and Moodle's) needs the fix of #7873 is exactly the way to go, so thanks (again) for that, @rullzer. In the present PR the real issue is that the |
The CSRF protection is on by default. You have to add the annotation to disable it ;). So there is no @CSRFrequired annotation. |
A right, it was the other way round. Sorry for that. So I have to revise: You could consider adding the |
Fixes #5694
I tested on my server, and worked like a charm :)
I think in term of security it is fine to open this route. What do you think?