[Form] Fixed: CSRF protection did not run if token was missing
This commit is contained in:
parent
eb75ab1b74
commit
c623fcf4d4
|
@ -63,8 +63,8 @@ class CsrfValidationListener implements EventSubscriberInterface
|
||||||
$form = $event->getForm();
|
$form = $event->getForm();
|
||||||
$data = $event->getData();
|
$data = $event->getData();
|
||||||
|
|
||||||
if ($form->isRoot() && $form->hasChildren() && isset($data[$this->fieldName])) {
|
if ($form->isRoot() && $form->hasChildren()) {
|
||||||
if (!$this->csrfProvider->isCsrfTokenValid($this->intention, $data[$this->fieldName])) {
|
if (!isset($data[$this->fieldName]) || !$this->csrfProvider->isCsrfTokenValid($this->intention, $data[$this->fieldName])) {
|
||||||
$form->addError(new FormError('The CSRF token is invalid. Please try to resubmit the form'));
|
$form->addError(new FormError('The CSRF token is invalid. Please try to resubmit the form'));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -171,6 +171,32 @@ class FormTypeCsrfExtensionTest extends TypeTestCase
|
||||||
$this->assertSame($valid, $form->isValid());
|
$this->assertSame($valid, $form->isValid());
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public function testFailIfRootAndChildrenAndTokenMissing()
|
||||||
|
{
|
||||||
|
$this->csrfProvider->expects($this->never())
|
||||||
|
->method('isCsrfTokenValid');
|
||||||
|
|
||||||
|
$form = $this->factory
|
||||||
|
->createBuilder('form', null, array(
|
||||||
|
'csrf_field_name' => 'csrf',
|
||||||
|
'csrf_provider' => $this->csrfProvider,
|
||||||
|
'intention' => '%INTENTION%'
|
||||||
|
))
|
||||||
|
->add($this->factory->createNamedBuilder('form', 'child'))
|
||||||
|
->getForm();
|
||||||
|
|
||||||
|
$form->bind(array(
|
||||||
|
'child' => 'foobar',
|
||||||
|
// token is missing
|
||||||
|
));
|
||||||
|
|
||||||
|
// Remove token from data
|
||||||
|
$this->assertSame(array('child' => 'foobar'), $form->getData());
|
||||||
|
|
||||||
|
// Validate accordingly
|
||||||
|
$this->assertFalse($form->isValid());
|
||||||
|
}
|
||||||
|
|
||||||
public function testDontValidateTokenIfChildrenButNoRoot()
|
public function testDontValidateTokenIfChildrenButNoRoot()
|
||||||
{
|
{
|
||||||
$this->csrfProvider->expects($this->never())
|
$this->csrfProvider->expects($this->never())
|
||||||
|
|
Reference in New Issue