fix baserproject#2302 Jwt認証領域でも未認証の場合はCSRFチェックをスキップしない

seto1 · Jun 16, 2023 · d2c2020 · d2c2020
1 parent bf0919e
commit d2c2020
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 4 deletions.
diff --git a/plugins/baser-core/src/Plugin.php b/plugins/baser-core/src/Plugin.php
@@ -307,9 +307,6 @@ public function middleware(MiddlewareQueue $middlewareQueue): MiddlewareQueue
                     if($authenticator) {
                         // 認証済の際、セッション認証以外はスキップ
                         if(!$authenticator instanceof SessionAuthenticator) return true;
-                    } else {
-                        // 認証できていない場合、領域がJwt認証前提の場合はスキップ
-                        if($authSetting['type'] === 'Jwt') return true;
                     }
                     return false;
                 });

diff --git a/plugins/baser-core/tests/TestCase/Error/BcExceptionRendererTest.php b/plugins/baser-core/tests/TestCase/Error/BcExceptionRendererTest.php
@@ -93,9 +93,12 @@ public function test_getController()
         $this->assertResponseError();
         $this->assertResponseContains('bs-container');
 
-        $this->post('/baser/api/admin/baser-core/users/add.json');
+        $this->get('/baser/api/admin/baser-core/users/index.json');
         $this->assertResponseCode(401);
 
+        $this->post('/baser/api/admin/baser-core/users/add.json');
+        $this->assertResponseCode(403);
+
         Configure::write('debug', $debug);
     }
 }