From 00896cf231a5c26a1306060b5aa9fa4b42708640 Mon Sep 17 00:00:00 2001 From: kenjis Date: Fri, 29 Mar 2024 10:34:43 +0900 Subject: [PATCH] feat: environment-specific Config\Security::$redirect --- app/Config/Security.php | 4 +++- user_guide_src/source/changelogs/v4.5.0.rst | 3 +++ user_guide_src/source/installation/upgrade_450.rst | 3 +++ user_guide_src/source/libraries/security.rst | 12 +++++++----- 4 files changed, 16 insertions(+), 6 deletions(-) diff --git a/app/Config/Security.php b/app/Config/Security.php index 57be4ee41541..0858b9bbb257 100644 --- a/app/Config/Security.php +++ b/app/Config/Security.php @@ -79,8 +79,10 @@ class Security extends BaseConfig * -------------------------------------------------------------------------- * * Redirect to previous page with error on failure. + * + * @see https://codeigniter4.github.io/userguide/libraries/security.html#redirection-on-failure */ - public bool $redirect = false; + public bool $redirect = (ENVIRONMENT === 'production'); /** * -------------------------------------------------------------------------- diff --git a/user_guide_src/source/changelogs/v4.5.0.rst b/user_guide_src/source/changelogs/v4.5.0.rst index fef00aa02da5..dda80fbca732 100644 --- a/user_guide_src/source/changelogs/v4.5.0.rst +++ b/user_guide_src/source/changelogs/v4.5.0.rst @@ -196,6 +196,9 @@ Others if the HTTP method is different. - **Bootstrap:** The ``CodeIgniter\Boot`` class has been introduced, replacing **system/bootstrap.php**. +- **Security:** ``Config\Security::$redirect`` is now, by default, environment-specific. + For production environment, changed to ``true`` but is still ``false`` for other + environments. ******** BREAKING diff --git a/user_guide_src/source/installation/upgrade_450.rst b/user_guide_src/source/installation/upgrade_450.rst index 27fe4bc67593..4304d8203662 100644 --- a/user_guide_src/source/installation/upgrade_450.rst +++ b/user_guide_src/source/installation/upgrade_450.rst @@ -327,6 +327,9 @@ Others - app/Config/Kint.php - It no longer extends ``BaseConfig`` because enabling :ref:`factories-config-caching` could cause errors. +- app/Config/Security.php + - The property ``$redirect`` has been changed to ``true`` in ``production`` + environment. All Changes =========== diff --git a/user_guide_src/source/libraries/security.rst b/user_guide_src/source/libraries/security.rst index 6937efde012d..9aa684101c57 100644 --- a/user_guide_src/source/libraries/security.rst +++ b/user_guide_src/source/libraries/security.rst @@ -130,15 +130,17 @@ may alter this behavior by editing the following config parameter value in Redirection on Failure ---------------------- -Since v4.3.0, when a request fails the CSRF validation check, -it will throw a SecurityException by default, +Starting with v4.5.0, when a request fails the CSRF validation check, by default, +the user is redirected to the previous page in production environment, or a +SecurityException is thrown in other environments. .. note:: In production environment, when you use HTML forms, it is recommended to enable this redirection for a better user experience. -If you want to make it redirect to the previous page, -change the following config parameter value in -**app/Config/Security.php**: + Upgrade users should check their configuration files. + +If you want to make it redirect to the previous page, set the following config +parameter value to ``true`` in **app/Config/Security.php**: .. literalinclude:: security/005.php