テストなどの目的のために、特定のコントローラーやアクションで、CSRFチェックを無効にしたい場合があるかと思います。
CakePHP4.1の場合、特定のコントローラやアクションでCSRFチェックを無効化する方法は、下記の設定をすることで無効化できます。
修正ファイル
src/Application.php
下記の例では、SamplesControllerの場合には、CSRFチェックをしない設定となります。
修正前
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 |
/** * Setup the middleware queue your application will use. * * @param \Cake\Http\MiddlewareQueue $middlewareQueue The middleware queue to setup. * @return \Cake\Http\MiddlewareQueue The updated middleware queue. */ public function middleware(MiddlewareQueue $middlewareQueue): MiddlewareQueue { $middlewareQueue // Catch any exceptions in the lower layers, // and make an error page/response ->add(new ErrorHandlerMiddleware(Configure::read('Error'))) // Handle plugin/theme assets like CakePHP normally does. ->add(new AssetMiddleware([ 'cacheTime' => Configure::read('Asset.cacheTime'), ])) // Add routing middleware. // If you have a large number of routes connected, turning on routes // caching in production could improve performance. For that when // creating the middleware instance specify the cache config name by // using it's second constructor argument: // `new RoutingMiddleware($this, '_cake_routes_')` ->add(new RoutingMiddleware($this)) // Parse various types of encoded request bodies so that they are // available as array through $request->getData() // https://book.cakephp.org/4/en/controllers/middleware.html#body-parser-middleware ->add(new BodyParserMiddleware()) // Cross Site Request Forgery (CSRF) Protection Middleware // https://book.cakephp.org/4/en/controllers/middleware.html#cross-site-request-forgery-csrf-middleware ->add(new CsrfProtectionMiddleware([ 'httponly' => true, ])); return $middlewareQueue; } |
修正後
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 |
/** * Setup the middleware queue your application will use. * * @param \Cake\Http\MiddlewareQueue $middlewareQueue The middleware queue to setup. * @return \Cake\Http\MiddlewareQueue The updated middleware queue. */ public function middleware(MiddlewareQueue $middlewareQueue): MiddlewareQueue { $csrf = new CsrfProtectionMiddleware(['httponly'=>true]); $csrf->skipCheckCallback(function($request) { $controller = $request->getParam('controller'); $action = $request->getParam('action'); if (is_null($controller) || is_null($action)) { return false; } if (strcmp($controller,'Samples') == 0) { return true; } return false; }); $middlewareQueue // Catch any exceptions in the lower layers, // and make an error page/response ->add(new ErrorHandlerMiddleware(Configure::read('Error'))) // Handle plugin/theme assets like CakePHP normally does. ->add(new AssetMiddleware([ 'cacheTime' => Configure::read('Asset.cacheTime'), ])) // Add routing middleware. // If you have a large number of routes connected, turning on routes // caching in production could improve performance. For that when // creating the middleware instance specify the cache config name by // using it's second constructor argument: // `new RoutingMiddleware($this, '_cake_routes_')` ->add(new RoutingMiddleware($this)) // Parse various types of encoded request bodies so that they are // available as array through $request->getData() // https://book.cakephp.org/4/en/controllers/middleware.html#body-parser-middleware ->add(new BodyParserMiddleware()) // Cross Site Request Forgery (CSRF) Protection Middleware // https://book.cakephp.org/4/en/controllers/middleware.html#cross-site-request-forgery-csrf-middleware //->add(new CsrfProtectionMiddleware([ // 'httponly' => true, //])); ->add($csrf); return $middlewareQueue; } |
