registration How to Disable CSRF Protection

[Ziaur Rashid]

Hi,

Need help to disbale csrf protection for registration & password forgot/reset page. Suggestion required to integrate registration page.

https://nextophost.com/clients/order/signup/index/Register

https://www.nextophost.com/register.html

[Ziaur Rashid]

And also need to reduce field from registration form.

Another problem is state/provice option showing same name for twice. How to fix this?

[Ziaur Rashid]

@Paul @gosuhost @Blesta Addons, please help me to solve this issue.

[Tyson]

You need to update your configuration file to set specific controller methods that should bypass the CSRF check. You can update /config/blesta.php, then find and update

Configure::set('Blesta.csrf_bypass', array());

to:

Configure::set('Blesta.csrf_bypass', array('client_login::index', 'client_login::reset'));

That will disable the CSRF check on the client login and client reset password pages.

The ISO-3166 for Bangladesh includes multiple districts and divisions, and some of the divisions have the same name as the district, hence why "Chittagong" appears duplicate--one refers to the division and the other refers to the district. If you need to update the States in Blesta to better represent provinces in your area more specifically than the ISO-3166 can represent, you can try the States&Countries plugin to update them.

[Ziaur Rashid]

On 16/11/2017 at 12:14 AM, Tyson said:

You need to update your configuration file to set specific controller methods that should bypass the CSRF check. You can update /config/blesta.php, then find and update

Configure::set('Blesta.csrf_bypass', array());

to:

Configure::set('Blesta.csrf_bypass', array('client_login::index', 'client_login::reset'));

That will disable the CSRF check on the client login and client reset password pages.

What to do to disable csrf check for registration page?

[Beav]

58 minutes ago, Nextop Host said:

What to do to disable csrf check for registration page?

'controller::action'  for whatever you are wanting to disable it on. Make sure to separate each exception with a comma, and be careful using this if you don' know what your doing.

[Tyson]

On 11/23/2017 at 8:34 AM, Nextop Host said:

What to do to disable csrf check for registration page?

Configure::set('Blesta.csrf_bypass', array('client_login::index', 'client_login::reset', 'signup::index'));

 

[Blesta Addons]

a plugin released to help admin set those page via admin panel. no need to edit file anymore .

 

[nereliz]

Hi,

I know this topic is old. But is there a possibility to remove CSRF from plug-in form. Let say my form is located in: https://example.net/admin/plugin/test_plugin/admin_products/add

Regards,
Nerijus Barauskas

[Tyson]

Yes, you can disable it similar to what is shown above in the configuration file using the plugin controller and method. But since it's in your plugin, you can always disable it from the source by calling Form::setCsrfOptions prior to Form::create, e.g.:

$this->Form->setCsrfOptions(['set_on_create' => false]);
$this->Form->create();

 

[nereliz]

17 hours ago, Tyson said:

Yes, you can disable it similar to what is shown above in the configuration file using the plugin controller and method. But since it's in your plugin, you can always disable it from the source by calling Form::setCsrfOptions prior to Form::create, e.g.:

$this->Form->setCsrfOptions(['set_on_create' => false]);
$this->Form->create();

 

Thanks for your response. But I was unable to figure out how to build keys for configuration file like you have if my controller is in plugin.  I can't set in the form as this is used via curl. I can't use APIs for this because i need this to be without authentication. It should do very specific task.

[Blesta Addons]

On 11/28/2017 at 11:38 PM, Blesta Addons said:

a plugin released to help admin set those page via admin panel. no need to edit file anymore .

 

our plugin allow you to do it without changing any line of code in your plugin .