[Form] Fixed: CSRF protection did not run if token was missing
This commit is contained in:
parent
eb75ab1b74
commit
c623fcf4d4
|
@ -63,8 +63,8 @@ class CsrfValidationListener implements EventSubscriberInterface
|
|||
$form = $event->getForm();
|
||||
$data = $event->getData();
|
||||
|
||||
if ($form->isRoot() && $form->hasChildren() && isset($data[$this->fieldName])) {
|
||||
if (!$this->csrfProvider->isCsrfTokenValid($this->intention, $data[$this->fieldName])) {
|
||||
if ($form->isRoot() && $form->hasChildren()) {
|
||||
if (!isset($data[$this->fieldName]) || !$this->csrfProvider->isCsrfTokenValid($this->intention, $data[$this->fieldName])) {
|
||||
$form->addError(new FormError('The CSRF token is invalid. Please try to resubmit the form'));
|
||||
}
|
||||
|
||||
|
|
|
@ -171,6 +171,32 @@ class FormTypeCsrfExtensionTest extends TypeTestCase
|
|||
$this->assertSame($valid, $form->isValid());
|
||||
}
|
||||
|
||||
public function testFailIfRootAndChildrenAndTokenMissing()
|
||||
{
|
||||
$this->csrfProvider->expects($this->never())
|
||||
->method('isCsrfTokenValid');
|
||||
|
||||
$form = $this->factory
|
||||
->createBuilder('form', null, array(
|
||||
'csrf_field_name' => 'csrf',
|
||||
'csrf_provider' => $this->csrfProvider,
|
||||
'intention' => '%INTENTION%'
|
||||
))
|
||||
->add($this->factory->createNamedBuilder('form', 'child'))
|
||||
->getForm();
|
||||
|
||||
$form->bind(array(
|
||||
'child' => 'foobar',
|
||||
// token is missing
|
||||
));
|
||||
|
||||
// Remove token from data
|
||||
$this->assertSame(array('child' => 'foobar'), $form->getData());
|
||||
|
||||
// Validate accordingly
|
||||
$this->assertFalse($form->isValid());
|
||||
}
|
||||
|
||||
public function testDontValidateTokenIfChildrenButNoRoot()
|
||||
{
|
||||
$this->csrfProvider->expects($this->never())
|
||||
|
|
Reference in New Issue