[Form] CSRF documentation and a few CS changes

symfony · May 18, 2011 · ebb0e83 · ebb0e83
1 parent ba31b5a
commit ebb0e83
Show file tree

Hide file tree

Showing 4 changed files with 66 additions and 14 deletions.
diff --git a/src/Symfony/Component/Form/Extension/Csrf/CsrfExtension.php b/src/Symfony/Component/Form/Extension/Csrf/CsrfExtension.php
@@ -15,22 +15,36 @@
 use Symfony\Component\Form\Extension\Csrf\CsrfProvider\CsrfProviderInterface;
 use Symfony\Component\Form\AbstractExtension;
 
+/**
+ * This extension protects forms by using a CSRF token
+ */
 class CsrfExtension extends AbstractExtension
 {
     private $csrfProvider;
 
+    /**
+     * Constructor.
+     *
+     * @param CsrfProviderInterface $csrfProvider The CSRF provider
+     */
     public function __construct(CsrfProviderInterface $csrfProvider)
     {
         $this->csrfProvider = $csrfProvider;
     }
 
+    /**
+     * {@inheritDoc}
+     */
     protected function loadTypes()
     {
         return array(
             new Type\CsrfType($this->csrfProvider),
         );
     }
 
+    /**
+     * {@inheritDoc}
+     */
     protected function loadTypeExtensions()
     {
         return array(

diff --git a/src/Symfony/Component/Form/Extension/Csrf/Type/CsrfType.php b/src/Symfony/Component/Form/Extension/Csrf/Type/CsrfType.php
@@ -22,11 +22,25 @@ class CsrfType extends AbstractType
 {
     private $csrfProvider;
 
+    /**
+     * Constructor.
+     *
+     * @param CsrfProviderInterface $csrfProvider The provider to use to generate the token
+     */
     public function __construct(CsrfProviderInterface $csrfProvider)
     {
         $this->csrfProvider = $csrfProvider;
     }
 
+    /**
+     * Builds the CSRF field.
+     *
+     * A validator is added to check the token value when the CSRF field is added to
+     * a root form
+     *
+     * @param FormBuilder $builder The form builder
+     * @param array       $options The options
+     */
     public function buildForm(FormBuilder $builder, array $options)
     {
         $csrfProvider = $options['csrf_provider'];
@@ -47,20 +61,31 @@ public function buildForm(FormBuilder $builder, array $options)
         ;
     }
 
+    /**
+     * {@inheritDoc}
+     */
     public function getDefaultOptions(array $options)
     {
         return array(
             'csrf_provider' => $this->csrfProvider,
-            'intention' => null,
+            'intention'     => null,
             'property_path' => false,
         );
     }
 
+    /**
+     * {@inheritDoc}
+     */
     public function getParent(array $options)
     {
         return 'hidden';
     }
 
+    /**
+     * Returns the name of this form.
+     *
+     * @return string 'csrf'
+     */
     public function getName()
     {
         return 'csrf';

diff --git a/src/Symfony/Component/Form/Extension/Csrf/Type/FormTypeCsrfExtension.php b/src/Symfony/Component/Form/Extension/Csrf/Type/FormTypeCsrfExtension.php
@@ -27,6 +27,12 @@ public function __construct($enabled = true, $fieldName = '_token')
         $this->fieldName = $fieldName;
     }
 
+    /**
+     * Adds a CSRF field to the form when the CSRF protection is enabled.
+     *
+     * @param FormBuilder   $builder The form builder
+     * @param array         $options The options
+     */
     public function buildForm(FormBuilder $builder, array $options)
     {
         if ($options['csrf_protection']) {
@@ -36,11 +42,19 @@ public function buildForm(FormBuilder $builder, array $options)
                 $csrfOptions['csrf_provider'] = $options['csrf_provider'];
             }
 
-            $builder->add($options['csrf_field_name'], 'csrf', $csrfOptions)
-                ->setAttribute('csrf_field_name', $options['csrf_field_name']);
+            $builder
+                ->add($options['csrf_field_name'], 'csrf', $csrfOptions)
+                ->setAttribute('csrf_field_name', $options['csrf_field_name'])
+            ;
         }
     }
 
+    /**
+     * Removes CSRF fields from all the form views except the root one.
+     *
+     * @param FormView      $view The form view
+     * @param FormInterface $form The form
+     */
     public function buildViewBottomUp(FormView $view, FormInterface $form)
     {
         if ($view->hasParent() && $form->hasAttribute('csrf_field_name')) {
@@ -52,16 +66,22 @@ public function buildViewBottomUp(FormView $view, FormInterface $form)
         }
     }
 
+    /**
+     * {@inheritDoc}
+     */
     public function getDefaultOptions(array $options)
     {
         return array(
-            'csrf_protection' => $this->enabled,
-            'csrf_field_name' => $this->fieldName,
-            'csrf_provider'   => null,
-            'intention'  => 'unknown',
+            'csrf_protection'   => $this->enabled,
+            'csrf_field_name'   => $this->fieldName,
+            'csrf_provider'     => null,
+            'intention'         => 'unknown',
         );
     }
 
+    /**
+     * {@inheritDoc}
+     */
     public function getExtendedType()
     {
         return 'form';

diff --git a/src/Symfony/Component/Form/Form.php b/src/Symfony/Component/Form/Form.php
@@ -24,13 +24,6 @@
  *
  * A form is composed of a validator schema and a widget form schema.
  *
- * Form also takes care of CSRF protection by default.
- *
- * A CSRF secret can be any random string. If set to false, it disables the
- * CSRF protection, and if set to null, it forces the form to use the global
- * CSRF secret. If the global CSRF secret is also null, then a random one
- * is generated on the fly.
- *
  * To implement your own form fields, you need to have a thorough understanding
  * of the data flow within a form field. A form field stores its data in three
  * different representations: