- Issue created by @mglaman
- 🇧🇪Belgium wim leers Ghent 🇧🇪🇪🇺
Definitely is blocked on 🐛 Controllers performing data modification should make use of CSRF tokens via /session/token Active .
- 🇺🇸United States mglaman WI, USA
After reading 🐛 Controllers performing data modification should make use of CSRF tokens via /session/token Active , I think the approach should be changed. Originally the idea was just a regular link which would redirect to the editor. Instead it should be a POST request and then redirect based off of the response data.
Request:
POST /api/create/xb_pageResponse
201 Created { "data": { "xb_page": { "id": 123 } } }Then the editor can redirect to
/xb/xb_page/123.This unblocks the need for CSRF since we're using a
POSTmethod - 🇺🇸United States mglaman WI, USA
After looking at the update route
experience_builder.api.content.update: path: '/xb/api/content-update/{entity_type}/{entity}'I suppose it should be
experience_builder.api.content.create: path: '/xb/api/content-update/{entity_type}But we have logic in the controller which fails if the entity type is anything else but xb_page (for now.)
- 🇧🇪Belgium wim leers Ghent 🇧🇪🇪🇺
🐛 Controllers performing data modification should make use of CSRF tokens via /session/token Active landed.
#5: hm … so then the entity would exist immediately, but need to be invalid, because the
requiredtitlecannot yet be specified by the author.
Plus, it'd need to be marked as unpublished (EntityPublishedInterface::setUnpublished()).I'm sure we can make all that work at the technical level. I'm not sure what the UX would look like exactly?
- 🇺🇸United States mglaman WI, USA
required title cannot yet be specified by the author.
The title is populated as "Untitled page"
It is also specified that it should be unpublished.
This was approved by laurii and I believe effulgentsia
Edit:
The UX is: Click "New", brought to editor for a page named "Untitled page"
