refactor(actions): complete admin request/csrf guard centralization

This commit is contained in:
2026-04-24 19:00:13 +02:00
parent 5e705f780d
commit d7b73fcefe
18 changed files with 464 additions and 67 deletions

View File

@@ -50,16 +50,22 @@ function flashFormErrors(FormErrors $errors, ?string $scope = null, string $keyP
function actionRequirePost(
string $redirect,
bool $jsonAware = false,
string $jsonError = 'method_not_allowed'
string $jsonError = 'method_not_allowed',
int $jsonStatusCode = 405,
array $jsonPayload = [],
bool $forceJson = false
): bool {
if (requestInput()->isMethod('POST')) {
return true;
}
if ($jsonAware && Request::wantsJson()) {
if ($jsonAware && ($forceJson || Request::wantsJson())) {
header('Allow: POST');
http_response_code(405);
Router::json(['error' => trim($jsonError) !== '' ? trim($jsonError) : 'method_not_allowed']);
http_response_code($jsonStatusCode);
$payload = $jsonPayload !== []
? $jsonPayload
: ['error' => trim($jsonError) !== '' ? trim($jsonError) : 'method_not_allowed'];
Router::json($payload);
return false;
}
@@ -79,15 +85,21 @@ function actionRequireCsrf(
bool $jsonAware = false,
string $jsonError = 'csrf',
bool $flashOnFailure = true,
bool $redirectOnFailure = true
bool $redirectOnFailure = true,
int $jsonStatusCode = 400,
array $jsonPayload = [],
bool $forceJson = false
): bool {
if (Session::checkCsrfToken()) {
return true;
}
if ($jsonAware && Request::wantsJson()) {
http_response_code(400);
Router::json(['error' => trim($jsonError) !== '' ? trim($jsonError) : 'csrf']);
if ($jsonAware && ($forceJson || Request::wantsJson())) {
http_response_code($jsonStatusCode);
$payload = $jsonPayload !== []
? $jsonPayload
: ['error' => trim($jsonError) !== '' ? trim($jsonError) : 'csrf'];
Router::json($payload);
return false;
}