Skip to content

Preloading error because of CsrfTokenManagerInterface in Form component #44445

New issue
New issue
Closed
Closed
Preloading error because of CsrfTokenManagerInterface in Form component#44445
Labels
BugDependencyInjectionStatus: Needs Review
@iquito

Description

@iquito
iquito
opened on Dec 3, 2021

Symfony version(s) affected

6.0.0

Description

I am using the form component, but not the security component, and when trying to use preloading in my application (by including the preloading file generated by Symfony) it fails with:

NOTICE: PHP message: PHP Fatal error:  Failed to load class Symfony\Component\Security\Csrf\CsrfTokenManagerInterface used by typed property Symfony\Component\Form\FormRenderer::$csrfTokenManager during preloading in Unknown on line 0

How to reproduce

Create a project with the Symfony form component and Symfony DI + Framework components (but without the security component), deactivate csrf_protection in the configuration, create a Form class and start PHP with the Symfony-generated preload file. Just trying to load the FormRenderer class in the preload file will then lead to this problem.

This issue is new in Symfony 6 because of the explicit type hints for properties which were not present in earlier Symfony versions.

Possible Solution

There are mainly two solutions from my viewpoint:

  • Remove the type for any properties using CsrfTokenManagerInterface in the form component (typed parameters are not affected, only typed properties)
  • Somehow add CsrfTokenManagerInterface as a dependency for the form component, so it can always be loaded

I see the first solution as simpler and therefore preferrable. CsrfTokenManagerInterface is used as a typed property in:

  • Symfony\Component\Form\FormRenderer
  • Symfony\Component\Form\Extension\Csrf\CsrfExtension
  • Symfony\Component\Form\Extension\Csrf\EventListener\CsrfValidationListener
  • Symfony\Component\Form\Extension\Csrf\Type\FormTypeCsrfExtension
  • Symfony\Bridge\Twig\Extension\CsrfRuntime

Removing the type for the CsrfTokenManagerInterface properties and replacing them with annotations should solve this problem. In general there might be more such cases within the Symfony framework, and types for properties should be seen as hard dependencies.

Additional Context

I use my own implementation for CSRF protection, and there are other ways of guarding against CSRF, mainly strict SameSite cookies, so it makes sense for projects to not always use the CSRF protection provided by the form+security component.

Metadata

Metadata

Assignees

No one assigned

    Labels

    BugDependencyInjectionStatus: Needs Review

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions