diff --git a/src/opnsense/mvc/app/controllers/OPNsense/Base/ControllerBase.php b/src/opnsense/mvc/app/controllers/OPNsense/Base/ControllerBase.php index 2d189e9ef..73a2b92b3 100644 --- a/src/opnsense/mvc/app/controllers/OPNsense/Base/ControllerBase.php +++ b/src/opnsense/mvc/app/controllers/OPNsense/Base/ControllerBase.php @@ -68,35 +68,35 @@ class ControllerBase extends Controller */ public function beforeExecuteRoute($dispatcher) { - // Authentication - // - use authentication of legacy OPNsense. - if ($this->session->has("Username") == false) { - $this->response->redirect("/", true); - } - // check for valid csrf on post requests - if ($this->request->isPost() && !$this->security->checkToken()) { - // post without csrf, exit. - return false; + // only handle input validation on first request. + if (!$dispatcher->wasForwarded()) { + // Authentication + // - use authentication of legacy OPNsense. + if ($this->session->has("Username") == false) { + $this->response->redirect("/", true); + } + // check for valid csrf on post requests + if ($this->request->isPost() && !$this->security->checkToken()) { + // post without csrf, exit. + return false; + } + + // REST type calls should be implemented by inheriting ApiControllerBase. + // because we don't check for csrf on these methods, we want to make sure these aren't used. + if ($this->request->isHead() || + $this->request->isPut() || + $this->request->isDelete() || + $this->request->isPatch() || + $this->request->isOptions()) { + throw new \Exception('request type not supported'); + } } - // REST type calls should be implemented by inheriting ApiControllerBase. - // because we don't check for csrf on these methods, we want to make sure these aren't used. - if ($this->request->isHead() || - $this->request->isPut() || - $this->request->isDelete() || - $this->request->isPatch() || - $this->request->isOptions()) { - throw new \Exception('request type not supported'); - } - - // include csrf for GET requests. - if ($this->request->isGet()) { - // inject csrf information - $this->view->setVars([ - 'csrf_tokenKey' => $this->security->getTokenKey(), - 'csrf_token' => $this->security->getToken() - ]); - } + // include csrf for volt view rendering. + $this->view->setVars([ + 'csrf_tokenKey' => $this->security->getTokenKey(), + 'csrf_token' => $this->security->getToken() + ]); // Execute before every found action $this->view->setVar('lang', $this->getTranslator()); diff --git a/src/opnsense/mvc/app/controllers/OPNsense/Sample/Api/IndexController.php b/src/opnsense/mvc/app/controllers/OPNsense/Sample/Api/IndexController.php index 61f8fa52d..e4215eebd 100644 --- a/src/opnsense/mvc/app/controllers/OPNsense/Sample/Api/IndexController.php +++ b/src/opnsense/mvc/app/controllers/OPNsense/Sample/Api/IndexController.php @@ -41,8 +41,8 @@ class IndexController extends ApiControllerBase */ public function indexAction() { - if ($this->request->hasPut("message")) { - $message = $this->request->getPut("message"); + if ($this->request->hasPost("message")) { + $message = $this->request->getPost("message"); } else { $message = " " ; } diff --git a/src/opnsense/mvc/app/views/OPNsense/Sample/index.volt b/src/opnsense/mvc/app/views/OPNsense/Sample/index.volt index c916218a9..9e41f09cd 100644 --- a/src/opnsense/mvc/app/views/OPNsense/Sample/index.volt +++ b/src/opnsense/mvc/app/views/OPNsense/Sample/index.volt @@ -19,14 +19,13 @@ API call result :
$( "#restcall" ).click( function() { $.ajax({ - type: "PUT", + type: "POST", url: "/api/sample/", success: function(data){ $("#msgid").html( data.message ); }, data:{message:$("#msg").val()} }); - });