[FIX] website_form: allow to submit form without csrf if not logged

Chrome recently changed their SameSite policy default value from None to Lax, the session is no more shared between the webpage and the iframe. As a result, the csrf check systematically fails. After this commit, the csrf_token check is only made when you have a session. In case you are using your form in an iframe on another site, with the new cookies policy, your cookies with the session_id (linked to the csrf token) is not sent to the server and the check csrf always fails. Since the purpose of the csrf is to prevent another website to submit a form with your 'authenticated account', we can consider that if you are not logged and so have no session_id, it is no critical and we can ignore the csrf check. closes #58028 X-original-commit: f79240e Signed-off-by: Olivier Dony (odo) <odo@openerp.com> Signed-off-by: Jérémy Kersten (jke) <jke@openerp.com>
odoo · Sep 18, 2020 · 6241d0b · 6241d0b
1 parent 33cf9fd
commit 6241d0b
Showing 1 changed file with 10 additions and 1 deletion.
diff --git a/addons/website_form/controllers/main.py b/addons/website_form/controllers/main.py
@@ -7,6 +7,7 @@
 
 from datetime import datetime
 from psycopg2 import IntegrityError
+from werkzeug.exceptions import BadRequest
 
 from odoo import http, SUPERUSER_ID
 from odoo.http import request
@@ -19,8 +20,16 @@
 class WebsiteForm(http.Controller):
 
     # Check and insert values from the form on the model <model>
-    @http.route('/website_form/<string:model_name>', type='http', auth="public", methods=['POST'], website=True)
+    @http.route('/website_form/<string:model_name>', type='http', auth="public", methods=['POST'], website=True, csrf=False)
     def website_form(self, model_name, **kwargs):
+        # Partial CSRF check, only performed when session is authenticated, as there
+        # is no real risk for unauthenticated sessions here. It's a common case for
+        # embedded forms now: SameSite policy rejects the cookies, so the session
+        # is lost, and the CSRF check fails, breaking the post for no good reason.
+        csrf_token = request.params.pop('csrf_token', None)
+        if request.session.uid and not request.validate_csrf(csrf_token):
+            raise BadRequest('Session expired (invalid CSRF token)')
+
         model_record = request.env['ir.model'].sudo().search([('model', '=', model_name), ('website_form_access', '=', True)])
         if not model_record:
             return json.dumps(False)