Dear Everybody,
My application : GitHub - baimard/gestion
When I remove in my controller the @NoCSRFRequired
<?php
namespace OCA\Gestion\Controller;
use OCP\IRequest;
use OCP\Files\IRootFolder;
use OCP\AppFramework\Http\TemplateResponse;
use OCP\AppFramework\Http\DataResponse;
use OCP\AppFramework\Controller;
use OCA\Gestion\Db\Bdd;
class PageController extends Controller {
private $idNextcloud;
private $myDb;
/** @var IRootStorage */
private $storage;
public function __construct($AppName, IRequest $request, $UserId, Bdd $myDb, IRootFolder $rootFolder){
parent::__construct($AppName, $request);
$this->idNextcloud = $UserId;
This file has been truncated. show original
I have this error message :
Accès non autorisé (Acces not authorised)
CSRF check failed
I try to remove the @NoCSRFRequired in index() and devis()
Is there something I don’t do well ?
why do you remove it? There shouldn’t be a CSRF check for those routes. Leave the annotation.
Thank you,
but CSRF check is there for security reason, if I leave this annotation, is that doesn’t cause any security problem ?
you have to evaluate the risk of the route. the GET route that loads the page won’t impose a CSRF issue in most applications. When that’s the case then a user won’t need to specify a token for the route.