bug #9328 [2.3][Form] Changed FormTypeCsrfExtension to use the form's name as default intention (bschussek)
This PR was merged into the 2.3 branch. Discussion ---------- [2.3][Form] Changed FormTypeCsrfExtension to use the form's name as default intention Equivalent of #9327, merged into 2.3. Commits -------c4abe83
Merge branch 'fix-csrf-default-2.2' into fix-csrf-default-2.3b07c618
[Form] Changed FormTypeCsrfExtension to use the form's name as default intention
This commit is contained in:
commit
408769ead1
@ -76,7 +76,7 @@ class FormTypeCsrfExtension extends AbstractTypeExtension
|
|||||||
->addEventSubscriber(new CsrfValidationListener(
|
->addEventSubscriber(new CsrfValidationListener(
|
||||||
$options['csrf_field_name'],
|
$options['csrf_field_name'],
|
||||||
$options['csrf_provider'],
|
$options['csrf_provider'],
|
||||||
$options['intention'],
|
$options['intention'] ?: $builder->getName(),
|
||||||
$options['csrf_message'],
|
$options['csrf_message'],
|
||||||
$this->translator,
|
$this->translator,
|
||||||
$this->translationDomain
|
$this->translationDomain
|
||||||
@ -95,7 +95,7 @@ class FormTypeCsrfExtension extends AbstractTypeExtension
|
|||||||
{
|
{
|
||||||
if ($options['csrf_protection'] && !$view->parent && $options['compound']) {
|
if ($options['csrf_protection'] && !$view->parent && $options['compound']) {
|
||||||
$factory = $form->getConfig()->getAttribute('csrf_factory');
|
$factory = $form->getConfig()->getAttribute('csrf_factory');
|
||||||
$data = $options['csrf_provider']->generateCsrfToken($options['intention']);
|
$data = $options['csrf_provider']->generateCsrfToken($options['intention'] ?: $form->getName());
|
||||||
|
|
||||||
$csrfForm = $factory->createNamed($options['csrf_field_name'], 'hidden', $data, array(
|
$csrfForm = $factory->createNamed($options['csrf_field_name'], 'hidden', $data, array(
|
||||||
'mapped' => false,
|
'mapped' => false,
|
||||||
@ -115,7 +115,7 @@ class FormTypeCsrfExtension extends AbstractTypeExtension
|
|||||||
'csrf_field_name' => $this->defaultFieldName,
|
'csrf_field_name' => $this->defaultFieldName,
|
||||||
'csrf_provider' => $this->defaultCsrfProvider,
|
'csrf_provider' => $this->defaultCsrfProvider,
|
||||||
'csrf_message' => 'The CSRF token is invalid. Please try to resubmit the form.',
|
'csrf_message' => 'The CSRF token is invalid. Please try to resubmit the form.',
|
||||||
'intention' => 'unknown',
|
'intention' => null,
|
||||||
));
|
));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -140,6 +140,24 @@ class FormTypeCsrfExtensionTest extends TypeTestCase
|
|||||||
$this->assertEquals('token', $view['csrf']->vars['value']);
|
$this->assertEquals('token', $view['csrf']->vars['value']);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public function testGenerateCsrfTokenUsesFormNameAsIntentionByDefault()
|
||||||
|
{
|
||||||
|
$this->csrfProvider->expects($this->once())
|
||||||
|
->method('generateCsrfToken')
|
||||||
|
->with('FORM_NAME')
|
||||||
|
->will($this->returnValue('token'));
|
||||||
|
|
||||||
|
$view = $this->factory
|
||||||
|
->createNamed('FORM_NAME', 'form', null, array(
|
||||||
|
'csrf_field_name' => 'csrf',
|
||||||
|
'csrf_provider' => $this->csrfProvider,
|
||||||
|
'compound' => true,
|
||||||
|
))
|
||||||
|
->createView();
|
||||||
|
|
||||||
|
$this->assertEquals('token', $view['csrf']->vars['value']);
|
||||||
|
}
|
||||||
|
|
||||||
public function provideBoolean()
|
public function provideBoolean()
|
||||||
{
|
{
|
||||||
return array(
|
return array(
|
||||||
@ -180,6 +198,37 @@ class FormTypeCsrfExtensionTest extends TypeTestCase
|
|||||||
$this->assertSame($valid, $form->isValid());
|
$this->assertSame($valid, $form->isValid());
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @dataProvider provideBoolean
|
||||||
|
*/
|
||||||
|
public function testValidateTokenOnBindIfRootAndCompoundUsesFormNameAsIntentionByDefault($valid)
|
||||||
|
{
|
||||||
|
$this->csrfProvider->expects($this->once())
|
||||||
|
->method('isCsrfTokenValid')
|
||||||
|
->with('FORM_NAME', 'token')
|
||||||
|
->will($this->returnValue($valid));
|
||||||
|
|
||||||
|
$form = $this->factory
|
||||||
|
->createNamedBuilder('FORM_NAME', 'form', null, array(
|
||||||
|
'csrf_field_name' => 'csrf',
|
||||||
|
'csrf_provider' => $this->csrfProvider,
|
||||||
|
'compound' => true,
|
||||||
|
))
|
||||||
|
->add('child', 'text')
|
||||||
|
->getForm();
|
||||||
|
|
||||||
|
$form->submit(array(
|
||||||
|
'child' => 'foobar',
|
||||||
|
'csrf' => 'token',
|
||||||
|
));
|
||||||
|
|
||||||
|
// Remove token from data
|
||||||
|
$this->assertSame(array('child' => 'foobar'), $form->getData());
|
||||||
|
|
||||||
|
// Validate accordingly
|
||||||
|
$this->assertSame($valid, $form->isValid());
|
||||||
|
}
|
||||||
|
|
||||||
public function testFailIfRootAndCompoundAndTokenMissing()
|
public function testFailIfRootAndCompoundAndTokenMissing()
|
||||||
{
|
{
|
||||||
$this->csrfProvider->expects($this->never())
|
$this->csrfProvider->expects($this->never())
|
||||||
|
Reference in New Issue
Block a user