disable auto register csrf

luyadev · Feb 11, 2021 · 4edfdb0 · 4edfdb0
1 parent 69be64c
commit 4edfdb0
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 1 deletion.
diff --git a/core/CHANGELOG.md b/core/CHANGELOG.md
@@ -3,6 +3,12 @@
 All notable changes to this project will be documented in this file. This project adheres to [Semantic Versioning](http://semver.org/).
 In order to read more about upgrading and BC breaks have a look at the [UPGRADE Document](UPGRADE.md).
 
+## 2.0.0 ()
+
+> Check the [UPGRADE document](UPGRADE.md) to read more about breaking changes.
+
++ [#2068](https://github.com/luyadev/luya/issues/2068) Disabled the automatically register process of CSRF tokens. Since ActiveForms are widely used they register the CSRF token.
+
 ## 1.9.0 (11. February 2020)
 
 + [#2074](https://github.com/luyadev/luya/pull/2074) Replace helpers with `luya\yii-helpers` library. Added testsuite 2.0 for php 8.0 and 7.0 tests.

diff --git a/core/UPGRADE.md b/core/UPGRADE.md
@@ -3,6 +3,16 @@ LUYA UPGRADE
 
 This document will help you upgrading from a LUYA Version into another. For more detailed informations about the breaking changes **click the issue detail link**, there you can examples of how to change your code.
 
+## 2.0.0
+
++ [#2068](https://github.com/luyadev/luya/issues/2068) In order to restore the auto register mechanism for csrf tokens either use `ActiveForms` or configure your component:
+
+```php
+$config->webComponent('view', [
+    'autoRegisterCsrf' => true,
+]);
+```
+
 ## 1.6.0
 
 + [#2037](https://github.com/luyadev/luya/issues/2037) The LazyLoad widget now surrounds the image with a wrapper class (that will have the extraClass applied), keep that in mind - you might need to tweak your CSS a little bit. By default this wrapper will then be replaced by the actual image tag (Option: `replacePlaceholder`).

diff --git a/core/web/View.php b/core/web/View.php
@@ -23,7 +23,7 @@ class View extends \yii\web\View
      * @var boolean If csrf validation is enabled in the request component, and autoRegisterCsrf is enabled, then
      * all the meta informations will be auto added to meta tags.
      */
-    public $autoRegisterCsrf = true;
+    public $autoRegisterCsrf = false;
 
     /**
      * Init view object. Implements auto register csrf meta tokens.