When I remove @NoCSRFRequired -> CSRF Check failed

Juxorevo · July 13, 2021, 1:42pm

Dear Everybody,

My application : GitHub - baimard/gestion

When I remove in my controller the @NoCSRFRequired

baimard/gestion/blob/master/lib/Controller/PageController.php

<?php
namespace OCA\Gestion\Controller;

use OCP\IRequest;
use OCP\Files\IRootFolder;
use OCP\AppFramework\Http\TemplateResponse;
use OCP\AppFramework\Http\DataResponse;
use OCP\AppFramework\Controller;
use OCA\Gestion\Db\Bdd;

class PageController extends Controller {
	private $idNextcloud;
	private $myDb;

	/** @var IRootStorage */
	private $storage;

	public function __construct($AppName, IRequest $request, $UserId, Bdd $myDb, IRootFolder $rootFolder){
		parent::__construct($AppName, $request);
		$this->idNextcloud = $UserId;

This file has been truncated. show original

I have this error message :

 Accès non autorisé (Acces not authorised)
CSRF check failed

I try to remove the @NoCSRFRequired in index() and devis()

Is there something I don’t do well ?

ChristophWurst · July 14, 2021, 11:03am

why do you remove it? There shouldn’t be a CSRF check for those routes. Leave the annotation.

Juxorevo · July 19, 2021, 11:38am

Thank you,

but CSRF check is there for security reason, if I leave this annotation, is that doesn’t cause any security problem ?

ChristophWurst · July 26, 2021, 1:21pm

you have to evaluate the risk of the route. the GET route that loads the page won’t impose a CSRF issue in most applications. When that’s the case then a user won’t need to specify a token for the route.

Joshua_Richet · March 24, 2023, 6:46pm

Why does it fail though?