From e1aced89fd0f036ee4fd448d17184c168f2c9ae0 Mon Sep 17 00:00:00 2001
From: Kris Wallsmith <kris.wallsmith@gmail.com>
Date: Tue, 10 Jan 2012 04:55:48 -0800
Subject: [PATCH] [Twig] added {{ csrf_token() }} helper

---
 .../Bridge/Twig/Extension/FormExtension.php   | 34 ++++++++++++++++++-
 .../TwigBundle/Resources/config/twig.xml      |  1 +
 .../Extension/FormExtensionDivLayoutTest.php  |  2 +-
 .../FormExtensionTableLayoutTest.php          |  2 +-
 4 files changed, 36 insertions(+), 3 deletions(-)

diff --git a/src/Symfony/Bridge/Twig/Extension/FormExtension.php b/src/Symfony/Bridge/Twig/Extension/FormExtension.php
index 25004e90fd..b73212020a 100644
--- a/src/Symfony/Bridge/Twig/Extension/FormExtension.php
+++ b/src/Symfony/Bridge/Twig/Extension/FormExtension.php
@@ -14,6 +14,7 @@ namespace Symfony\Bridge\Twig\Extension;
 use Symfony\Bridge\Twig\TokenParser\FormThemeTokenParser;
 use Symfony\Component\Form\FormView;
 use Symfony\Component\Form\Exception\FormException;
+use Symfony\Component\Form\Extension\Csrf\CsrfProvider\CsrfProviderInterface;
 use Symfony\Component\Form\Util\FormUtil;
 
 /**
@@ -24,6 +25,7 @@ use Symfony\Component\Form\Util\FormUtil;
  */
 class FormExtension extends \Twig_Extension
 {
+    protected $csrfProvider;
     protected $resources;
     protected $blocks;
     protected $environment;
@@ -31,8 +33,9 @@ class FormExtension extends \Twig_Extension
     protected $varStack;
     protected $template;
 
-    public function __construct(array $resources = array())
+    public function __construct(CsrfProviderInterface $csrfProvider, array $resources = array())
     {
+        $this->csrfProvider = $csrfProvider;
         $this->themes = new \SplObjectStorage();
         $this->varStack = array();
         $this->blocks = new \SplObjectStorage();
@@ -81,6 +84,7 @@ class FormExtension extends \Twig_Extension
             'form_label'               => new \Twig_Function_Method($this, 'renderLabel', array('is_safe' => array('html'))),
             'form_row'                 => new \Twig_Function_Method($this, 'renderRow', array('is_safe' => array('html'))),
             'form_rest'                => new \Twig_Function_Method($this, 'renderRest', array('is_safe' => array('html'))),
+            'csrf_token'               => new \Twig_Function_Method($this, 'getCsrfToken'),
             '_form_is_choice_group'    => new \Twig_Function_Method($this, 'isChoiceGroup', array('is_safe' => array('html'))),
             '_form_is_choice_selected' => new \Twig_Function_Method($this, 'isChoiceSelected', array('is_safe' => array('html'))),
         );
@@ -269,6 +273,34 @@ class FormExtension extends \Twig_Extension
         ));
     }
 
+    /**
+     * Returns a CSRF token.
+     *
+     * Use this helper for CSRF protection without the overhead of creating a
+     * form.
+     *
+     * <code>
+     * <input type="hidden" name="token" value="{{ csrf_token('rm_user_' ~ user.id) }}">
+     * </code>
+     *
+     * Check the token in your action using the same intention.
+     *
+     * <code>
+     * $csrfProvider = $this->get('form.csrf_provider');
+     * if (!$csrfProvider->isCsrfTokenValid('rm_user_'.$user->getId(), $token)) {
+     *     throw new \RuntimeException('CSRF attack detected.');
+     * }
+     * </code>
+     *
+     * @param string $intention The intention of the protected action
+     *
+     * @return string A CSRF token
+     */
+    public function getCsrfToken($intention)
+    {
+        return $this->csrfProvider->generateCsrfToken($intention);
+    }
+
     /**
      * Returns the name of the extension.
      *
diff --git a/src/Symfony/Bundle/TwigBundle/Resources/config/twig.xml b/src/Symfony/Bundle/TwigBundle/Resources/config/twig.xml
index 7c24db417d..36b4000ff8 100644
--- a/src/Symfony/Bundle/TwigBundle/Resources/config/twig.xml
+++ b/src/Symfony/Bundle/TwigBundle/Resources/config/twig.xml
@@ -75,6 +75,7 @@
 
         <service id="twig.extension.form" class="%twig.extension.form.class%" public="false">
             <tag name="twig.extension" />
+            <argument type="service" id="form.csrf_provider" />
             <argument>%twig.form.resources%</argument>
         </service>
 
diff --git a/tests/Symfony/Tests/Bridge/Twig/Extension/FormExtensionDivLayoutTest.php b/tests/Symfony/Tests/Bridge/Twig/Extension/FormExtensionDivLayoutTest.php
index be935ccc96..4f4be0be54 100644
--- a/tests/Symfony/Tests/Bridge/Twig/Extension/FormExtensionDivLayoutTest.php
+++ b/tests/Symfony/Tests/Bridge/Twig/Extension/FormExtensionDivLayoutTest.php
@@ -38,7 +38,7 @@ class FormExtensionDivLayoutTest extends AbstractDivLayoutTest
             __DIR__,
         ));
 
-        $this->extension = new FormExtension(array(
+        $this->extension = new FormExtension($this->getMock('Symfony\Component\Form\Extension\Csrf\CsrfProvider\CsrfProviderInterface'), array(
             'form_div_layout.html.twig',
             'custom_widgets.html.twig',
         ));
diff --git a/tests/Symfony/Tests/Bridge/Twig/Extension/FormExtensionTableLayoutTest.php b/tests/Symfony/Tests/Bridge/Twig/Extension/FormExtensionTableLayoutTest.php
index bb7e44743f..96cbf11612 100644
--- a/tests/Symfony/Tests/Bridge/Twig/Extension/FormExtensionTableLayoutTest.php
+++ b/tests/Symfony/Tests/Bridge/Twig/Extension/FormExtensionTableLayoutTest.php
@@ -38,7 +38,7 @@ class FormExtensionTableLayoutTest extends AbstractTableLayoutTest
             __DIR__,
         ));
 
-        $this->extension = new FormExtension(array(
+        $this->extension = new FormExtension($this->getMock('Symfony\Component\Form\Extension\Csrf\CsrfProvider\CsrfProviderInterface'), array(
             'form_table_layout.html.twig',
             'custom_widgets.html.twig',
         ));