Skip to content

Commit d4f2ffb

Browse files
fabpotfabpot
committed
bug symfony#9662 [FrameworkBundle] Enabled csrf_protection by default if form.csrf_protection is enabled (bschussek)
This PR was submitted for the master branch but it was merged into the 2.4 branch instead (closes symfony#9662). Discussion ---------- [FrameworkBundle] Enabled csrf_protection by default if form.csrf_protection is enabled | Q | A | ------------- | --- | Bug fix? | yes | New feature? | no | BC breaks? | no | Deprecations? | no | Tests pass? | yes | Fixed tickets | symfony#9429 | License | MIT | Doc PR | - This PR enables the CSRF protection services automatically if CSRF protection for forms is enabled. In this case, the CSRF protection services cannot be disabled anymore manually (the same as with the validation services). Commits ------- b5e5c71 [FrameworkBundle] Enabled csrf_protection by default if form.csrf_protection is enabled
2 parents 1a33e1b + 5bf759a commit d4f2ffb

File tree

2 files changed

+10
-12
lines changed

2 files changed

+10
-12
lines changed

src/Symfony/Bundle/FrameworkBundle/DependencyInjection/FrameworkExtension.php

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -93,14 +93,18 @@ public function load(array $configs, ContainerBuilder $container)
9393

9494
$loader->load('security.xml');
9595

96-
$this->registerSecurityCsrfConfiguration($config['csrf_protection'], $container, $loader);
97-
9896
if ($this->isConfigEnabled($container, $config['form'])) {
9997
$this->formConfigEnabled = true;
10098
$this->registerFormConfiguration($config, $container, $loader);
10199
$config['validation']['enabled'] = true;
100+
101+
if ($this->isConfigEnabled($container, $config['form']['csrf_protection'])) {
102+
$config['csrf_protection']['enabled'] = true;
103+
}
102104
}
103105

106+
$this->registerSecurityCsrfConfiguration($config['csrf_protection'], $container, $loader);
107+
104108
if (isset($config['templating'])) {
105109
$this->registerTemplatingConfiguration($config['templating'], $config['ide'], $container, $loader);
106110
}
@@ -159,10 +163,6 @@ private function registerFormConfiguration($config, ContainerBuilder $container,
159163
{
160164
$loader->load('form.xml');
161165
if ($this->isConfigEnabled($container, $config['form']['csrf_protection'])) {
162-
if (!$this->isConfigEnabled($container, $config['csrf_protection'])) {
163-
throw new \LogicException('CSRF protection needs to be enabled in order to use CSRF protection for forms.');
164-
}
165-
166166
$loader->load('form_csrf.xml');
167167

168168
$container->setParameter('form.type_extension.csrf.enabled', true);

src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/FrameworkExtensionTest.php

Lines changed: 4 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -41,13 +41,11 @@ public function testCsrfProtectionNeedsSessionToBeEnabled()
4141
$this->createContainerFromFile('csrf_needs_session');
4242
}
4343

44-
/**
45-
* @expectedException \LogicException
46-
* @expectedExceptionMessage CSRF protection needs to be enabled in order to use CSRF protection for forms.
47-
*/
48-
public function testCsrfProtectionForFormsNeedCsrfProtectionToBeEnabled()
44+
public function testCsrfProtectionForFormsEnablesCsrfProtectionAutomatically()
4945
{
50-
$this->createContainerFromFile('csrf');
46+
$container = $this->createContainerFromFile('csrf');
47+
48+
$this->assertTrue($container->hasDefinition('security.csrf.token_manager'));
5149
}
5250

5351
public function testSecureRandomIsAvailableIfCsrfIsDisabled()

0 commit comments

Comments
 (0)