Closed dolmit-tanel-paaro closed 11 months ago
I see that this behavior is the same for the latest version too. See: https://github.com/dachcom-digital/pimcore-members/blob/a38e1353407a7ca8fb4dfe62716a063e5c577126/src/Controller/ResettingController.php#L38
As you can see here
...the request gets handled only if a specific method is requested, namely POST
. I'm not sure which setup you're using, but maybe you've changed it to GET
? However, this form should submit its values via POST
to prevent logging sensitive data on server side.
Okay... now I see - our project is using CoreShop and it's ResourceBundle
overrides HttpFoundationRequestHandler
.
See: HttpFoundationRequestHandler override
It specifically has removed form method and request method comparison check (mentioned in the class signature 😄). I suppose I have to ask CoreShop maintainers why it was done like that...
I've asked the question from CoreShop team: https://github.com/coreshop/CoreShop/discussions/2442
Hey, @solverat @dpfaffenbauer is asking the same question as I - why is form handling the request when form hasn't been submitted? See: https://github.com/coreshop/CoreShop/discussions/2442#discussioncomment-7513287
This issue has been resolved on the side of Members bundle:
CSRF token and form fields validation is triggered for form rendering. This is caused by calling
$form->handleRequest($request)
.Why is this method called at that point where the goal is to simply render the form?
Reference: https://github.com/dachcom-digital/pimcore-members/blob/v4.1.1/src/MembersBundle/Controller/ResettingController.php#L53C9-L53C9 Route:
members_user_resetting_request
Version:
v4.1.1
(Pimcorev10.6.9
)Note: this issue was present also in the older version when our Pimcore was at v6.9 but didn't bother reporting back then.
The view for
members_user_resetting_request
route