XF 2.0 CSRF Token

LandNetwork

Member
Hi,

I'm using XenForo 2.0 for my site and I'm building an add-on. I find the documentation very lacking for 2.0 and am disappointed by this. Also, coming from a Laravel background, Zend and XenForo frameworks are fairly new to me.

All I am trying to do is retrieve a CSRF token in a view to allow me to make a POST request without getting the security problem message, but I can't figure out how to get the CSRF token from the add-on! Any help is much appreciated...

Regards.
 
In the vast majority of cases, you don't need to manually access a CSRF token as we will automatically add it. This applies if you are submitting a form and use an <xf:form> tag for it or if you use our ajax methods in JS. These would be the recommended approaches.

If you need a CSRF input for a form, in an XF template:
Code:
<xf:csrf />
If you need the raw token:
Code:
\XF::app()->get('csrf.token');
 
In the vast majority of cases, you don't need to manually access a CSRF token as we will automatically add it. This applies if you are submitting a form and use an <xf:form> tag for it or if you use our ajax methods in JS. These would be the recommended approaches.

If you need a CSRF input for a form, in an XF template:
Code:
<xf:csrf />
If you need the raw token:
Code:
\XF::app()->get('csrf.token');

That's perfect. Perhaps worth adding to the documentation? (Unless it is already, and I just missed it?)
Further, is there any way to define a POST route? E.g. doesn't accept GET or any other methods. I've made a route that works with POST but seems to work with GET also?
 
We don't specify method restrictions in routes. That would generally be done in the controller (assertPostOnly if you need it).
 
Does one need a CSFR token to search XenForo (which is in the /forum directory) from the domain's index page? The index is a plain HTML page, which contains a search box pointing to /forum/search, but searching results in a security error.

Analogously, there is a login/password form on the index page, which Chrome autofills with the visitor's credentials since both the index and the forum are on the same domain, but going to /login and /register also return security errors.
 
Top Bottom