Codestin Search App

Oviglo · 2025-03-20T08:20:06Z

Q	A
Branch?	7.3
Bug fix?	no
New feature?	yes
Deprecations?	no
License	MIT

I use a controller action to show a confirmation message for delete entity, i think it could be usefull to add 'methods' param in #[IsCsrfTokenValid] attribute.

#[Route('/delete/{id}', name: 'delete', methods: ['GET', 'DELETE'], requirements: ['id' => Requirement::UUID])]
public function delete(Request $request, User $user, UserManager $userManager): Response
{
    if ($request->isMethod('DELETE') && $this->isCsrfTokenValid('delete'.$user->getId(), $request->request->get('_token'))) {
        $userManager->remove($user);

        return $this->redirectToRoute('admin_user_index');
    }

    return $this->render('/admin/user/delete.html.twig', [
        'entity' => $user,
    ]);
}

#[Route('/delete/{id}', name: 'delete', methods: ['GET', 'DELETE'], requirements: ['id' => Requirement::UUID])]
#[IsCsrfTokenValid(new Expression('"delete" ~ args["user"].getId()'), methods: ['DELETE'])]
public function delete(Request $request, User $user, UserManager $userManager): Response
{
    if ($request->isMethod('DELETE')) {
        $userManager->remove($user);

        return $this->redirectToRoute('admin_user_index');
    }

    return $this->render('/admin/user/delete.html.twig', [
        'entity' => $user,
    ]);
}

The isCsrfTokenValidfunction is ignored if request method is not settings in param.

What do you think about this ?

Spomky · 2025-03-20T08:32:24Z

Hi @Oviglo,

I believe the best approach would be to separate the logic into two distinct methods: one for GET and another for DELETE.
This would not only solve your issue but also improve the clarity and maintainability of your code.

Oviglo · 2025-03-20T09:26:46Z

Hi @Oviglo,

I believe the best approach would be to separate the logic into two distinct methods: one for GET and another for DELETE. This would not only solve your issue but also improve the clarity and maintainability of your code.

Yes, but it will make my controller heavier. Another solution is to create an empty form for using native csrf validation.

Is it an official recommendation to use only one method per action ?

Spomky · 2025-03-20T09:35:32Z

I’m not sure what you mean by "heavier" in this context.

There is no official recommendation to use only one method per action, it is more about the single-responsibility principle.

Here’s an example that should work as expected:

#[Route('/delete/{id}', name: 'get', methods: ['GET'], requirements: ['id' => Requirement::UUID])]
public function get(User $user): Response
{
    return $this->render('/admin/user/delete.html.twig', ['entity' => $user]);
}

#[Route('/delete/{id}', name: 'delete', methods: ['DELETE'], requirements: ['id' => Requirement::UUID])]
#[IsCsrfTokenValid(new Expression('"delete" ~ args["user"].getId()'))]
public function delete(User $user, UserManager $userManager): Response
{
    $userManager->remove($user);

    return $this->redirectToRoute('admin_user_index');
}

nicolas-grekas · 2025-03-21T17:42:37Z

So, better close?

Oviglo · 2025-03-21T18:16:30Z

If you don’t find any utility, yes 😥

Merci à vous.

nicolas-grekas

Work for me despite the proposed alternative.

src/Symfony/Component/Security/Http/Attribute/IsCsrfTokenValid.php

src/Symfony/Component/Security/Http/EventListener/IsCsrfTokenValidAttributeListener.php

Spomky · 2025-03-22T12:10:45Z

Instead of a list of methods, what about checking if it is a non-safe method?

Oviglo · 2025-03-22T15:08:14Z

Yes you are right, a csrf token is only used for POST PUT DELETE and PATCH is’nt ?

nicolas-grekas · 2025-03-22T15:57:38Z

CSRF tokens can also be used for GET requests, eg for logout links (that's a common practice, even if not recommended).

Spomky

Looks good. Thank you.

nicolas-grekas · 2025-03-24T09:17:22Z

Thank you @Oviglo.

…tribute (Oviglo) This PR was squashed before being merged into the 7.3 branch. Discussion ---------- [Security] Add methods param doc for isCsrfTokenValid attribute Add new params for isCsrfTokenValid attribute PR: symfony/symfony#60007 Issue: #20810 Commits ------- 6d7c87f [Security] Add methods param doc for isCsrfTokenValid attribute

Oviglo requested a review from chalasr as a code owner March 20, 2025 08:20

carsonbot added Status: Needs Review Feature labels Mar 20, 2025

carsonbot added this to the 7.3 milestone Mar 20, 2025

Oviglo changed the title ~~Add methods param in IsCsrfTokenValid attribute~~ [Security][SecurityBundle] Add methods param in IsCsrfTokenValid attribute Mar 20, 2025

nicolas-grekas approved these changes Mar 22, 2025

View reviewed changes

carsonbot added Status: Reviewed and removed Status: Needs Review labels Mar 22, 2025

carsonbot changed the title ~~[Security][SecurityBundle] Add methods param in IsCsrfTokenValid attribute~~ Add methods param in IsCsrfTokenValid attribute Mar 22, 2025

OskarStark added the Security label Mar 22, 2025

carsonbot changed the title ~~Add methods param in IsCsrfTokenValid attribute~~ [Security] Add methods param in IsCsrfTokenValid attribute Mar 22, 2025

Oviglo force-pushed the is-csrf-token-valid/add-method-param branch from adea370 to 28a9102 Compare March 23, 2025 09:12

Oviglo requested a review from nicolas-grekas March 23, 2025 09:21

carsonbot added Status: Needs Review and removed Status: Reviewed labels Mar 23, 2025

Spomky approved these changes Mar 23, 2025

View reviewed changes

carsonbot added Status: Reviewed and removed Status: Needs Review labels Mar 23, 2025

[Security] Add methods param in IsCsrfTokenValid attribute

640e7a4

nicolas-grekas force-pushed the is-csrf-token-valid/add-method-param branch from 0b4edd1 to 640e7a4 Compare March 24, 2025 09:17

nicolas-grekas merged commit 1492e46 into symfony:7.3 Mar 24, 2025
3 of 7 checks passed

nicolas-grekas mentioned this pull request Mar 24, 2025

[Security] Add methods param in IsCsrfTokenValid attribute symfony/symfony-docs#20810

Closed

Oviglo mentioned this pull request Mar 24, 2025

[Security] Add methods param doc for isCsrfTokenValid attribute symfony/symfony-docs#20811

Merged

Oviglo deleted the is-csrf-token-valid/add-method-param branch March 27, 2025 07:54

fabpot mentioned this pull request May 2, 2025

Release v7.3.0-BETA1 #60327

Merged

Uh oh!

Conversation

Oviglo commented Mar 20, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Spomky commented Mar 20, 2025

Uh oh!

Oviglo commented Mar 20, 2025

Uh oh!

Spomky commented Mar 20, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

nicolas-grekas commented Mar 21, 2025

Uh oh!

Oviglo commented Mar 21, 2025

Uh oh!

nicolas-grekas left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Spomky commented Mar 22, 2025

Uh oh!

Oviglo commented Mar 22, 2025

Uh oh!

nicolas-grekas commented Mar 22, 2025

Uh oh!

Spomky left a comment

Choose a reason for hiding this comment

Uh oh!

nicolas-grekas commented Mar 24, 2025

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants

Comments

Oviglo commented Mar 20, 2025 •

edited

Loading

Spomky commented Mar 20, 2025 •

edited

Loading