From d04a3b76af6ae7dc76ccbb98c92941220187f2b8 Mon Sep 17 00:00:00 2001
From: Ismail Kattakath <ismail@kattakath.com>
Date: Thu, 14 May 2026 15:06:39 -0400
Subject: [PATCH] fix: guard against None request in reject_simple_form_post

queue_batch() calls update_comfyui(None) as an internal trigger when
processing an 'update_comfyui' batch item. update_comfyui() passes this
directly to reject_simple_form_post(), which unconditionally accesses
request.content_type, crashing with:

    AttributeError: 'NoneType' object has no attribute 'content_type'

This broke the 'Update All' button in the legacy Manager UI.

Fix: return None early when request is None. An internal call with no
request object cannot be a cross-origin form POST, so CSRF gating does
not apply.

Fixes #2880
---
 comfyui_manager/common/manager_security.py | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/comfyui_manager/common/manager_security.py b/comfyui_manager/common/manager_security.py
index dd9477db..f03c752b 100644
--- a/comfyui_manager/common/manager_security.py
+++ b/comfyui_manager/common/manager_security.py
@@ -62,6 +62,8 @@ def reject_simple_form_post(request) -> Optional[web.Response]:
         strips parameters), so a ``multipart/form-data; boundary=----X`` header
         is compared as ``multipart/form-data``.
     """
+    if request is None:
+        return None
     if request.content_type in _SIMPLE_FORM_CONTENT_TYPES:
         return web.Response(
             status=400,