Thanks to visit codestin.com
Credit goes to github.com

Skip to content

[Twig] [FrameworkBundle] added CSRF token helper #3080

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
fabpot merged 2 commits into from
Jan 22, 2012
Merged

[Twig] [FrameworkBundle] added CSRF token helper #3080

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
e1aced8
[Twig] added {{ csrf_token() }} helper
kriswallsmith Jan 10, 2012
753c067
[FrameworkBundle] added $view['form']->csrfToken() helper
kriswallsmith Jan 10, 2012
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
34 changes: 33 additions & 1 deletion src/Symfony/Bridge/Twig/Extension/FormExtension.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@
use Symfony\Bridge\Twig\TokenParser\FormThemeTokenParser;
use Symfony\Component\Form\FormView;
use Symfony\Component\Form\Exception\FormException;
use Symfony\Component\Form\Extension\Csrf\CsrfProvider\CsrfProviderInterface;
use Symfony\Component\Form\Util\FormUtil;

/**
Expand All @@ -24,15 +25,17 @@
*/
class FormExtension extends \Twig_Extension
{
protected $csrfProvider;
protected $resources;
protected $blocks;
protected $environment;
protected $themes;
protected $varStack;
protected $template;

public function __construct(array $resources = array())
public function __construct(CsrfProviderInterface $csrfProvider, array $resources = array())
{
$this->csrfProvider = $csrfProvider;
$this->themes = new \SplObjectStorage();
$this->varStack = array();
$this->blocks = new \SplObjectStorage();
Expand Down Expand Up @@ -81,6 +84,7 @@ public function getFunctions()
'form_label' => new \Twig_Function_Method($this, 'renderLabel', array('is_safe' => array('html'))),
'form_row' => new \Twig_Function_Method($this, 'renderRow', array('is_safe' => array('html'))),
'form_rest' => new \Twig_Function_Method($this, 'renderRest', array('is_safe' => array('html'))),
'csrf_token' => new \Twig_Function_Method($this, 'getCsrfToken'),
'_form_is_choice_group' => new \Twig_Function_Method($this, 'isChoiceGroup', array('is_safe' => array('html'))),
'_form_is_choice_selected' => new \Twig_Function_Method($this, 'isChoiceSelected', array('is_safe' => array('html'))),
);
Expand Down Expand Up @@ -269,6 +273,34 @@ protected function render(FormView $view, $section, array $variables = array())
));
}

/**
* Returns a CSRF token.
*
* Use this helper for CSRF protection without the overhead of creating a
* form.
*
* <code>
* <input type="hidden" name="token" value="{{ csrf_token('rm_user_' ~ user.id) }}">
* </code>
*
* Check the token in your action using the same intention.
*
* <code>
* $csrfProvider = $this->get('form.csrf_provider');
* if (!$csrfProvider->isCsrfTokenValid('rm_user_'.$user->getId(), $token)) {
* throw new \RuntimeException('CSRF attack detected.');
* }
* </code>
*
* @param string $intention The intention of the protected action
*
* @return string A CSRF token
*/
public function getCsrfToken($intention)
{
return $this->csrfProvider->generateCsrfToken($intention);
}

/**
* Returns the name of the extension.
*
Expand Down
1 change: 1 addition & 0 deletions src/Symfony/Bundle/FrameworkBundle/Resources/config/templating_php.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -97,6 +97,7 @@
<service id="templating.helper.form" class="%templating.helper.form.class%">
<tag name="templating.helper" alias="form" />
<argument type="service" id="templating.engine.php" />
<argument type="service" id="form.csrf_provider" />
<argument>%templating.helper.form.resources%</argument>
</service>

Expand Down
41 changes: 37 additions & 4 deletions src/Symfony/Bundle/FrameworkBundle/Templating/Helper/FormHelper.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@
use Symfony\Component\Templating\EngineInterface;
use Symfony\Component\Form\FormView;
use Symfony\Component\Form\Exception\FormException;
use Symfony\Component\Form\Extension\Csrf\CsrfProvider\CsrfProviderInterface;
use Symfony\Component\Form\Util\FormUtil;

/**
Expand All @@ -27,6 +28,8 @@ class FormHelper extends Helper
{
protected $engine;

protected $csrfProvider;

protected $varStack;

protected $context;
Expand All @@ -38,14 +41,16 @@ class FormHelper extends Helper
protected $templates;

/**
* Constructor;
* Constructor.
*
* @param EngineInterface $engine The templating engine
* @param array $resources An array of theme name
* @param EngineInterface $engine The templating engine
* @param CsrfProviderInterface $csrfProvider The CSRF provider
* @param array $resources An array of theme names
*/
public function __construct(EngineInterface $engine, array $resources)
public function __construct(EngineInterface $engine, CsrfProviderInterface $csrfProvider, array $resources)
{
$this->engine = $engine;
$this->csrfProvider = $csrfProvider;
$this->resources = $resources;
$this->varStack = array();
$this->context = array();
Expand Down Expand Up @@ -172,6 +177,34 @@ public function rest(FormView $view, array $variables = array())
return $this->renderSection($view, 'rest', $variables);
}

/**
* Returns a CSRF token.
*
* Use this helper for CSRF protection without the overhead of creating a
* form.
*
* <code>
* echo $view['form']->csrfToken('rm_user_'.$user->getId());
* </code>
*
* Check the token in your action using the same intention.
*
* <code>
* $csrfProvider = $this->get('form.csrf_provider');
* if (!$csrfProvider->isCsrfTokenValid('rm_user_'.$user->getId(), $token)) {
* throw new \RuntimeException('CSRF attack detected.');
* }
* </code>
*
* @param string $intention The intention of the protected action
*
* @return string A CSRF token
*/
public function csrfToken($intention)
{
return $this->csrfProvider->generateCsrfToken($intention);
}

/**
* Renders a template.
*
Expand Down
2 changes: 1 addition & 1 deletion src/Symfony/Bundle/FrameworkBundle/Tests/Templating/Helper/FormHelperDivLayoutTest.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,7 @@ protected function setUp()
$loader = new FilesystemLoader(array());
$engine = new PhpEngine($templateNameParser, $loader);

$this->helper = new FormHelper($engine, array('FrameworkBundle:Form'));
$this->helper = new FormHelper($engine, $this->getMock('Symfony\Component\Form\Extension\Csrf\CsrfProvider\CsrfProviderInterface'), array('FrameworkBundle:Form'));

$engine->setHelpers(array(
$this->helper,
Expand Down
2 changes: 1 addition & 1 deletion src/Symfony/Bundle/FrameworkBundle/Tests/Templating/Helper/FormHelperTableLayoutTest.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,7 @@ protected function setUp()
$loader = new FilesystemLoader(array());
$engine = new PhpEngine($templateNameParser, $loader);

$this->helper = new FormHelper($engine, array(
$this->helper = new FormHelper($engine, $this->getMock('Symfony\Component\Form\Extension\Csrf\CsrfProvider\CsrfProviderInterface'), array(
'FrameworkBundle:Form',
'FrameworkBundle:FormTable'
));
Expand Down
1 change: 1 addition & 0 deletions src/Symfony/Bundle/TwigBundle/Resources/config/twig.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -75,6 +75,7 @@

<service id="twig.extension.form" class="%twig.extension.form.class%" public="false">
<tag name="twig.extension" />
<argument type="service" id="form.csrf_provider" />
<argument>%twig.form.resources%</argument>
</service>

Expand Down
2 changes: 1 addition & 1 deletion tests/Symfony/Tests/Bridge/Twig/Extension/FormExtensionDivLayoutTest.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,7 @@ protected function setUp()
__DIR__,
));

$this->extension = new FormExtension(array(
$this->extension = new FormExtension($this->getMock('Symfony\Component\Form\Extension\Csrf\CsrfProvider\CsrfProviderInterface'), array(
'form_div_layout.html.twig',
'custom_widgets.html.twig',
));
Expand Down
2 changes: 1 addition & 1 deletion tests/Symfony/Tests/Bridge/Twig/Extension/FormExtensionTableLayoutTest.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,7 @@ protected function setUp()
__DIR__,
));

$this->extension = new FormExtension(array(
$this->extension = new FormExtension($this->getMock('Symfony\Component\Form\Extension\Csrf\CsrfProvider\CsrfProviderInterface'), array(
'form_table_layout.html.twig',
'custom_widgets.html.twig',
));
Expand Down