(chore): remove XSRF for GET and only use for modifiers

eb498369 · Mark Harding · b08a0e7b · eb498369
Commit eb498369 authored 35 minutes ago by Mark Harding
Hide whitespace changes
Inline Side-by-side

Showing with 2 additions and 2 deletions
--- a/Core/Security/XSRF.php
+++ b/Core/Security/XSRF.php
@@ -17,8 +17,8 @@ class XSRF

    public static function validateRequest()
    {
-        if (!Core\Session::isLoggedIn() && $_SERVER['REQUEST_METHOD'] === 'GET') {
-            return true; // If logged out and GET request we can accept
+        if ($_SERVER['REQUEST_METHOD'] === 'GET') {
+            return true; // XSRF only needed for modifiers
        }

        if (!isset($_SERVER['HTTP_X_XSRF_TOKEN'])) {