bug #25508 [FrameworkBundle] Auto-enable CSRF if the component *+ session* are loaded (nicolas-grekas)
This PR was merged into the 3.4 branch.
Discussion
----------
[FrameworkBundle] Auto-enable CSRF if the component *+ session* are loaded
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | https://github.com/symfony/recipes/issues/262
| License | MIT
| Doc PR | -
By binding CSRF and session default state, we provide better DX, but we also provide a way for bundles to enable session on its own: they just need to require "symfony/security-csrf".
Yes, that's a side effect, but I think that's a nice one for 3.4/4.0.
Of course, we might do better in 4.1, but for bug fix only releases, LGTM.
Commits
-------
9e8231f
[FrameworkBundle] Automatically enable the CSRF if component *+ session* are loaded
This commit is contained in:
commit
f3ac9f51ef
@ -21,6 +21,7 @@ use Symfony\Component\Config\Definition\ConfigurationInterface;
|
||||
use Symfony\Component\Form\Form;
|
||||
use Symfony\Component\Lock\Lock;
|
||||
use Symfony\Component\Lock\Store\SemaphoreStore;
|
||||
use Symfony\Component\Security\Csrf\CsrfTokenManagerInterface;
|
||||
use Symfony\Component\Serializer\Serializer;
|
||||
use Symfony\Component\Translation\Translator;
|
||||
use Symfony\Component\Validator\Validation;
|
||||
@ -142,7 +143,14 @@ class Configuration implements ConfigurationInterface
|
||||
$rootNode
|
||||
->children()
|
||||
->arrayNode('csrf_protection')
|
||||
->canBeEnabled()
|
||||
->treatFalseLike(array('enabled' => false))
|
||||
->treatTrueLike(array('enabled' => true))
|
||||
->treatNullLike(array('enabled' => true))
|
||||
->addDefaultsIfNotSet()
|
||||
->children()
|
||||
// defaults to framework.session.enabled && !class_exists(FullStack::class) && interface_exists(CsrfTokenManagerInterface::class)
|
||||
->booleanNode('enabled')->defaultNull()->end()
|
||||
->end()
|
||||
->end()
|
||||
->end()
|
||||
;
|
||||
|
@ -17,6 +17,7 @@ use Symfony\Bridge\Monolog\Processor\DebugProcessor;
|
||||
use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
|
||||
use Symfony\Bundle\FrameworkBundle\Controller\Controller;
|
||||
use Symfony\Bundle\FrameworkBundle\Routing\AnnotatedRouteControllerLoader;
|
||||
use Symfony\Bundle\FullStack;
|
||||
use Symfony\Component\Cache\Adapter\AbstractAdapter;
|
||||
use Symfony\Component\Cache\Adapter\AdapterInterface;
|
||||
use Symfony\Component\Cache\Adapter\ArrayAdapter;
|
||||
@ -65,6 +66,7 @@ use Symfony\Component\PropertyInfo\PropertyTypeExtractorInterface;
|
||||
use Symfony\Component\Routing\Loader\AnnotationDirectoryLoader;
|
||||
use Symfony\Component\Routing\Loader\AnnotationFileLoader;
|
||||
use Symfony\Component\Security\Core\Security;
|
||||
use Symfony\Component\Security\Csrf\CsrfTokenManagerInterface;
|
||||
use Symfony\Component\Serializer\Encoder\DecoderInterface;
|
||||
use Symfony\Component\Serializer\Encoder\EncoderInterface;
|
||||
use Symfony\Component\Serializer\Mapping\Factory\CacheClassMetadataFactory;
|
||||
@ -231,6 +233,11 @@ class FrameworkExtension extends Extension
|
||||
$this->registerRequestConfiguration($config['request'], $container, $loader);
|
||||
}
|
||||
|
||||
if (null === $config['csrf_protection']['enabled']) {
|
||||
$config['csrf_protection']['enabled'] = $this->sessionConfigEnabled && !class_exists(FullStack::class) && interface_exists(CsrfTokenManagerInterface::class);
|
||||
}
|
||||
$this->registerSecurityCsrfConfiguration($config['csrf_protection'], $container, $loader);
|
||||
|
||||
if ($this->isConfigEnabled($container, $config['form'])) {
|
||||
if (!class_exists('Symfony\Component\Form\Form')) {
|
||||
throw new LogicException('Form support cannot be enabled as the Form component is not installed.');
|
||||
@ -251,8 +258,6 @@ class FrameworkExtension extends Extension
|
||||
$container->removeDefinition('console.command.form_debug');
|
||||
}
|
||||
|
||||
$this->registerSecurityCsrfConfiguration($config['csrf_protection'], $container, $loader);
|
||||
|
||||
if ($this->isConfigEnabled($container, $config['assets'])) {
|
||||
if (!class_exists('Symfony\Component\Asset\Package')) {
|
||||
throw new LogicException('Asset support cannot be enabled as the Asset component is not installed.');
|
||||
|
Reference in New Issue
Block a user