[eluser]Unknown[/eluser]
So I'm working to upgrade CI from 2.1.2 to 2.1.4 and I'm running into CSRF issues. Starting in CI 2.1.3 the core Security constructor checks whether the config option 'csrf_protection' is set to true. Our default setting for the config option has been false I'm assuming because previous developers wanted to manually call csrf_verify and not have to whitelist a bunch of URLS. With 2.1.3+ I can't manually call $this->security->get_csrf_hash() and get a valid hash so how do I manually create/verify a CSRF if I've got 'csrf_protection' set to false?
I realize I can override the core security class I'm just trying to understand what the intended process is.
Also as a side note flipping the csrf_protection switch to true now results in the csrf automatically being verified which is great. Unfortunately if you have manually verified it in the code it creates this state where its verified as true the first pass (the Input class) and false in the second which takes a little bit to figure out. I'm not sure the best "fix" but it would be nice to make a note in the code of the Security class saying not to verify the CSRF so a CI user can more quickly figure out the culprit of the dreaded "The action you have requested is not allowed.".
Thank you!
