From da314b2f3b8b6fbe1af72bc618a923ca63afa4da Mon Sep 17 00:00:00 2001
From: Helmut Hummel <helmut.hummel@typo3.org>
Date: Tue, 6 Oct 2015 12:06:22 +0200
Subject: [PATCH] [BUGFIX] Make ExtDirect route public

The ExtDirect routes currently have a unique session CSRF token, which
makes caching of these routes impossible.

Since these routes are protected by an individual CSRF token (TYPO3.ExtDirectToken),
We can simply define this route as public to avoid caching issues.

Resolves: #70424
Related: #69916
Releases: master
Change-Id: I0ad018cc80913ea40fc00b88322ee59e24c17799
Reviewed-on: http://review.typo3.org/43843
Reviewed-by: Helmut Hummel <helmut.hummel@typo3.org>
Tested-by: Helmut Hummel <helmut.hummel@typo3.org>
Reviewed-by: Andreas Fernandez <typo3@scripting-base.de>
Tested-by: Andreas Fernandez <typo3@scripting-base.de>
---
 typo3/sysext/backend/Configuration/Backend/AjaxRoutes.php | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/typo3/sysext/backend/Configuration/Backend/AjaxRoutes.php b/typo3/sysext/backend/Configuration/Backend/AjaxRoutes.php
index bf71f7053e2f..604f8b752241 100644
--- a/typo3/sysext/backend/Configuration/Backend/AjaxRoutes.php
+++ b/typo3/sysext/backend/Configuration/Backend/AjaxRoutes.php
@@ -136,7 +136,8 @@ return [
 	// ExtDirect routing
 	'ext_direct_route' => [
 		'path' => '/ext-direct/route',
-		'target' => \TYPO3\CMS\Core\ExtDirect\ExtDirectRouter::class . '::routeAction'
+		'target' => \TYPO3\CMS\Core\ExtDirect\ExtDirectRouter::class . '::routeAction',
+		'access' => 'public'
 	],
 
 	// ExtDirect API
-- 
GitLab