Need help for a beginner: CSRF Check problem and route question


I’m starting to write a server side app for nextcloud.
I read the tutorial and many docs, but two questions are still open at the moment and I hope somebody can make me smarter.

“Only disable the check if you know what you are doing.”
I know I don’t need to disable it for my app-context.
For the pageController->index it is disabled like the tutorial says. For the tableController->index the page is working without disabling, but for tableController->update it is not working. Why?
-> Is it correct, that I only disable it at the the first call-method mostly the pageController-index?

Template and method for form loading:
with the routes as a resource there are standard routes defined. I guess it is all I need for simple situations. I try to list, show, create and update a list of tables. What route should be called to load a form to create a new item?
I guess I need something like table#loadform and on submitting it goes to table#create. Is there a app where I can have a look how they solved it?
(Problem: I have no idea about js.)

Thanks for your help, I wouldn’t ask if I know how to go an.


Yes, any page that is loaded directly needs to have CSRF disabled. But those pages should not manipulate any data. Anything that creates, modifies or deletes data should have a CSRF in place. Otherwise a CSRF attack is possible (short explanation: I embed a 1*1 pixel image on my website and when you visit it, your files/calendar/whatever your app handles with is deleted from your nextcloud, see for more information).

Maybe the source code helps you best:

rows with 'on-collection' => true mean they go on /collection, rows without are /collection/{id}

Hi, great. I think I got it with the csrf. I have to investigate in learning js. :slight_smile:

The routing solution is interesting. I have to play with it to get it.