Commits
-------
753c067 [FrameworkBundle] added $view['form']->csrfToken() helper
e1aced8 [Twig] added {{ csrf_token() }} helper
Discussion
----------
[Twig] [FrameworkBundle] added CSRF token helper
I've added a templating helper and Twig function for generating a CSRF token without the overhead of creating a form.
```html+jinja
<form action="{{ path('user_delete', { 'id': user.id }) }}" method="post">
<input type="hidden" name="_method" value="delete">
<input type="hidden" name="_token" value="{{ csrf_token('delete_user_' ~ user.id) }}">
<button type="submit">delete</button>
</form>
```
```php
<?php
class UserController extends Controller
{
public function delete(User $user, Request $request)
{
$csrfProvider = $this->get('form.csrf_provider');
if (!$csrfProvider->isCsrfTokenValid('delete_user_'.$user->getId(), $request->request->get('_token')) {
throw new RuntimeException('CSRF attack detected.');
}
// etc...
}
}
```
The test that is failing on Travis appears to be unrelated, but I may be wrong?
```
1) Symfony\Bundle\SecurityBundle\Tests\Functional\LocalizedRoutesAsPathTest::testLoginLogoutProcedure with data set #1 ('de')
RuntimeException: OUTPUT:
Catchable fatal error: Argument 3 passed to Symfony\Bundle\FrameworkBundle\Controller\TraceableControllerResolver::__construct() must be an instance of Symfony\Component\HttpKernel\Debug\Stopwatch, instance of Symfony\Bundle\FrameworkBundle\Controller\ControllerNameParser given, called in /tmp/2.1.0-DEV/StandardFormLogin/cache/securitybundletest/appSecuritybundletestDebugProjectContainer.php on line 94 and defined in /home/vagrant/builds/kriswallsmith/symfony/src/Symfony/Bundle/FrameworkBundle/Controller/TraceableControllerResolver.php on line 37
```
---------------------------------------------------------------------------
by pablodip at 2012-01-10T14:18:45Z
As you don't need forms to use the csrf provider, how about putting its service without the form prefix? It could even make sense to put the CsrfProvider as a component since you can use it standalone and in more cases than only forms. It would be a small component though.
---------------------------------------------------------------------------
by Tobion at 2012-01-10T17:54:14Z
I think it would be more clear to generate the token in the controller. Doing so in the template will spread the CSRF intention across template and controller. So I don't think this extension is necessary.
---------------------------------------------------------------------------
by kriswallsmith at 2012-01-10T17:58:14Z
@pablodip I'm open to the idea of a Csrf component. This would be a good place for some nonce classes as well.
@Tobion I disagree. One use case is for a list of users, each with a delete form. Iterating over the users in the controller and generating a token for each, just to iterate over them again in the view is a waste and adds complexity.
---------------------------------------------------------------------------
by Tobion at 2012-01-10T18:05:14Z
I see. But I don't understand why the intention needs to be different for each user to delete. Usually the intention is the same for each form type. I thought this is enough.
---------------------------------------------------------------------------
by kriswallsmith at 2012-01-10T18:06:13Z
Yes, a static intention would suffice.
---------------------------------------------------------------------------
by Tobion at 2012-01-10T18:07:08Z
Then your use case is not valid anymore.
---------------------------------------------------------------------------
by Tobion at 2012-01-10T18:12:25Z
I would suggest to make a cookbook article out of it about how to create a simple form without the form component.
And include such things as validating the result using the validator component and checking the CSRF.
---------------------------------------------------------------------------
by kriswallsmith at 2012-01-10T21:32:50Z
This helper makes it easier to use CSRF protection without a form and we should make it as easy as possible. Spreading the intention across controller and template is not concerning to me. Either way, a cookbook entry is a great idea.
---------------------------------------------------------------------------
by Tobion at 2012-01-10T21:47:12Z
Well, it's just one line more without this helper. So I disagree it makes it really easier when you know how to use the CsrfProvider which is a pre-condition anyway since you must still validate its correctness by hand.
---------------------------------------------------------------------------
by kriswallsmith at 2012-01-13T13:24:15Z
Another use case is when rendering a page with a bunch of simple buttons with different intentions: delete user, delete comment, follow, unfollow... Creating all of these in the controller just leads to spaghetti.
---------------------------------------------------------------------------
by jwage at 2012-01-17T21:55:53Z
👍 lots of use cases for something like this @OpenSky
Commits
-------
f6b3ea2 New validation messages and translated to Serbian language.
Discussion
----------
New validation messages and translated to Serbian language.
It would be nice for translators to be notified somehow when new validation messages appear. I copied those from French translation, not sure if that is the right way to go?
Also, in addition, I would like to contribute sr@latin translation. To explain, Serbian language have dual alphabet, both cyrillic and latin. I'm not sure if Symfony locale supports locale variants? Can you suggest right translation file name for this?
---------------------------------------------------------------------------
by stof at 2012-01-21T19:20:31Z
Please send the ids up to 41 to the 2.0 branch. Only 42 and above are new in 2.1
---------------------------------------------------------------------------
by stof at 2012-01-21T19:23:48Z
Regarding serbian latin translations, there is an issue here: both cyrillic and latin serbian share the same locale id ``sr_SP``
---------------------------------------------------------------------------
by stof at 2012-01-21T19:33:01Z
ok, looking a bit more about it, it seems like the right way to handle this is to use ``sr_Latn`` and ``sr_Cyrl`` for the 2 variants
---------------------------------------------------------------------------
by umpirsky at 2012-01-21T20:28:37Z
But ids 42 and above can be merged to master (2.1), right?
I think they share `sr_RS`, not `sr_SP` as you said.
So, `validators.sr.xlf` should be renamed to `validators.sr_Cyrl.xlf` and for latig added `validators.sr_Latn.xlf`?
---------------------------------------------------------------------------
by stof at 2012-01-21T21:00:18Z
yeah, but previous ids should be merged in 2.0 first to avoid merge conflicts later
---------------------------------------------------------------------------
by umpirsky at 2012-01-21T22:37:15Z
Done https://github.com/symfony/symfony/pull/3168
* 2.0:
Updated Serbian translation.
fixed CS
[Locale][Testing] Fixed breaking tests if 'intl' extension is not installed (#3139)
[Bridge] [Twig] fixed typo in a comment of the Twig FormExtension extension.
Bug fix: no
Feature addition: no
Backwards compatibility break: no
Symfony2 tests pass: yes
Fixes the following tickets: -
Todo: -
This is cleanup after enabling empty form names, now form with empty name
will not render the default `id="form"` container attribute.
Developers can extend/override this behaviour by standard form theming methods.
Commits
-------
af32590 [FrameworkBundle] Use only _route_params to generate redirect routes
Discussion
----------
[FrameworkBundle] Use only _route_params to generate redirect routes
Bug fix: yes
Feature addition: no
Backwards compatibility break: no
Symfony2 tests pass: yes
Routes in RedirectController are generated using all request attributes, which is inconvenient since I abuse request attributes to store other things (device types and such) relevant to the app. It renders the RedirectController useless since it adds unrelated query parameters to URLs it creates.
Commits
-------
10ecaba slovenian validators.xlf updated
Discussion
----------
Validators.sl.xlf updated
PR sent intentionally to symfony:master because of different translations set in translations.XYZ.xlf and translations.XYZ.xliff in current 2.0 branch.
Commits
-------
1cd74ec Added norwegian translations of validators
Discussion
----------
Added norwegian translations of validators
---------------------------------------------------------------------------
by stof at 2011/12/29 10:14:43 -0800
Can you send a PR to the 2.0 branch instead of master to add these translation for the ids 1 to 41 (missing in your PR btw) ? and then another PR to master for the ids 42 to 48 which are new for 2.1 ?
---------------------------------------------------------------------------
by antonbabenko at 2011/12/29 10:59:39 -0800
Ok, will do, but where can I find the correct original one ? I took german file as the most complete. Some languages have different amount of phrases and sources.
---------------------------------------------------------------------------
by javiereguiluz at 2011/12/29 11:23:04 -0800
@antonbabenko you can use the Spanish translation as an example (it was updated very recently and I initially made the same mistake ;) ):
* #2968 for 2.0 branch (added id 41)
* #2969 for master branch (added ids 42 - 48)
---------------------------------------------------------------------------
by antonbabenko at 2011/12/29 11:28:03 -0800
Thanks Javier.
Commits
-------
7c8bd3d [FrameworkBundle] Invalid composer ref fix
Discussion
----------
[FrameworkBundle] Invalid composer ref fix
Changes the `composer.json` reference in the FrameworkBundle to use the `symfony/translation` package rather than the current `symfony/translator` (which doesn't exist).
Commits
-------
0ed3497 [FrameworkBundle][translations] Updated Catalan translation
Discussion
----------
[FrameworkBundle][translations] Updated Catalan translation
Added some translations
---------------------------------------------------------------------------
by stof at 2012/01/04 19:14:29 -0800
Can you send the trans-unit 41 to the 2.0 branch as it is already part of the 2.0 release (ids 42 and above are new for 2.1)
---------------------------------------------------------------------------
by franmomu at 2012/01/05 00:53:49 -0800
Of course, I didn't realize