Merge pull request #8673 from kenjis/config-Security-redirect

kenjis · web-flow · commit 0bab68b48ac3 · 2024-03-31T08:54:48.000+09:00
feat: environment-specific Config\Security::$redirect
diff --git a/app/Config/Security.php b/app/Config/Security.php
@@ -79,8 +79,10 @@ class Security extends BaseConfig
      * --------------------------------------------------------------------------
      *
      * Redirect to previous page with error on failure.
+     *
+     * @see https://codeigniter4.github.io/userguide/libraries/security.html#redirection-on-failure
      */
-    public bool $redirect = false;
+    public bool $redirect = (ENVIRONMENT === 'production');
 
     /**
      * --------------------------------------------------------------------------
diff --git a/user_guide_src/source/changelogs/v4.5.0.rst b/user_guide_src/source/changelogs/v4.5.0.rst
@@ -199,6 +199,9 @@ Others
   if the HTTP method is different.
 - **Bootstrap:** The ``CodeIgniter\Boot`` class has been introduced, replacing
   **system/bootstrap.php**.
+- **Security:** ``Config\Security::$redirect`` is now, by default, environment-specific.
+  For production environment, changed to ``true`` but is still ``false`` for other
+  environments.
 
 ********
 BREAKING
diff --git a/user_guide_src/source/installation/upgrade_450.rst b/user_guide_src/source/installation/upgrade_450.rst
@@ -327,6 +327,9 @@ Others
 - app/Config/Kint.php
     - It no longer extends ``BaseConfig`` because enabling
       :ref:`factories-config-caching` could cause errors.
+- app/Config/Security.php
+    - The property ``$redirect`` has been changed to ``true`` in ``production``
+      environment.
 
 All Changes
 ===========
diff --git a/user_guide_src/source/libraries/security.rst b/user_guide_src/source/libraries/security.rst
@@ -130,15 +130,17 @@ may alter this behavior by editing the following config parameter value in
 Redirection on Failure
 ----------------------
 
-Since v4.3.0, when a request fails the CSRF validation check,
-it will throw a SecurityException by default,
+Starting with v4.5.0, when a request fails the CSRF validation check, by default,
+the user is redirected to the previous page in production environment, or a
+SecurityException is thrown in other environments.
 
 .. note:: In production environment, when you use HTML forms, it is recommended
     to enable this redirection for a better user experience.
 
-If you want to make it redirect to the previous page,
-change the following config parameter value in
-**app/Config/Security.php**:
+    Upgrade users should check their configuration files.
+
+If you want to make it redirect to the previous page, set the following config
+parameter value to ``true`` in **app/Config/Security.php**:
 
 .. literalinclude:: security/005.php
 
