HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.
Solution to form submission when the user is logged off
We found a need to allow a specific form to be displayed and processed even when the user is logged off. One use case is when an employee fills in a form requesting to be invited (norally we pre-invite users).
We noticed that the test for postback always returns false,upon investigation we discovered that the culprit is aWe found that the culprit is with the authenticatedPostBack function that validates the transient key before returning the correct response.
Our solution is shown below:
if (Gdn::Session()->IsValid()) {
$Postback = $Sender->Form->authenticatedPostBack();
} else {
$Postback = Gdn::request()->isPostBack();
}
Seems safe within our intranet confines.
I would appreciate some feedback on this solution.
Tagged:
0
Comments
In the code above, the if condition can be dropped completely and you can simply use
$Postback = Gdn::request()->isPostBack();The EntryController which also requires non-users to send data also uses
isPostBack().authenticatedPostBack()adds a security layer that you should always use if it is critical from whom the form data was sent.