HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Solution to form submission when the user is logged off

rbrahmsonrbrahmson "You may say I'm a dreamer / But I'm not the only one"NY ✭✭✭

We found a need to allow a specific form to be displayed and processed even when the user is logged off. One use case is when an employee fills in a form requesting to be invited (norally we pre-invite users).

We noticed that the test for postback always returns false,upon investigation we discovered that the culprit is aWe found that the culprit is with the authenticatedPostBack function that validates the transient key before returning the correct response.

Our solution is shown below:

if (Gdn::Session()->IsValid()) {
      $Postback = $Sender->Form->authenticatedPostBack();
} else {
      $Postback = Gdn::request()->isPostBack();

Seems safe within our intranet confines.

I would appreciate some feedback on this solution.



  • Options
    R_JR_J Ex-Fanboy Munich Admin

    In the code above, the if condition can be dropped completely and you can simply use $Postback = Gdn::request()->isPostBack();

    The EntryController which also requires non-users to send data also uses isPostBack(). authenticatedPostBack() adds a security layer that you should always use if it is critical from whom the form data was sent.

Sign In or Register to comment.