From ebb0e83a7e1fdeae6d1def51a32578cea835673a Mon Sep 17 00:00:00 2001 From: Victor Berchet Date: Wed, 18 May 2011 11:01:52 +0200 Subject: [PATCH] [Form] CSRF documentation and a few CS changes --- .../Form/Extension/Csrf/CsrfExtension.php | 14 ++++++++ .../Form/Extension/Csrf/Type/CsrfType.php | 27 +++++++++++++++- .../Csrf/Type/FormTypeCsrfExtension.php | 32 +++++++++++++++---- src/Symfony/Component/Form/Form.php | 7 ---- 4 files changed, 66 insertions(+), 14 deletions(-) diff --git a/src/Symfony/Component/Form/Extension/Csrf/CsrfExtension.php b/src/Symfony/Component/Form/Extension/Csrf/CsrfExtension.php index 1c685029b416..37bb6d7e83f4 100644 --- a/src/Symfony/Component/Form/Extension/Csrf/CsrfExtension.php +++ b/src/Symfony/Component/Form/Extension/Csrf/CsrfExtension.php @@ -15,15 +15,26 @@ use Symfony\Component\Form\Extension\Csrf\CsrfProvider\CsrfProviderInterface; use Symfony\Component\Form\AbstractExtension; +/** + * This extension protects forms by using a CSRF token + */ class CsrfExtension extends AbstractExtension { private $csrfProvider; + /** + * Constructor. + * + * @param CsrfProviderInterface $csrfProvider The CSRF provider + */ public function __construct(CsrfProviderInterface $csrfProvider) { $this->csrfProvider = $csrfProvider; } + /** + * {@inheritDoc} + */ protected function loadTypes() { return array( @@ -31,6 +42,9 @@ protected function loadTypes() ); } + /** + * {@inheritDoc} + */ protected function loadTypeExtensions() { return array( diff --git a/src/Symfony/Component/Form/Extension/Csrf/Type/CsrfType.php b/src/Symfony/Component/Form/Extension/Csrf/Type/CsrfType.php index c7e3844a52df..6fd388651ead 100644 --- a/src/Symfony/Component/Form/Extension/Csrf/Type/CsrfType.php +++ b/src/Symfony/Component/Form/Extension/Csrf/Type/CsrfType.php @@ -22,11 +22,25 @@ class CsrfType extends AbstractType { private $csrfProvider; + /** + * Constructor. + * + * @param CsrfProviderInterface $csrfProvider The provider to use to generate the token + */ public function __construct(CsrfProviderInterface $csrfProvider) { $this->csrfProvider = $csrfProvider; } + /** + * Builds the CSRF field. + * + * A validator is added to check the token value when the CSRF field is added to + * a root form + * + * @param FormBuilder $builder The form builder + * @param array $options The options + */ public function buildForm(FormBuilder $builder, array $options) { $csrfProvider = $options['csrf_provider']; @@ -47,20 +61,31 @@ public function buildForm(FormBuilder $builder, array $options) ; } + /** + * {@inheritDoc} + */ public function getDefaultOptions(array $options) { return array( 'csrf_provider' => $this->csrfProvider, - 'intention' => null, + 'intention' => null, 'property_path' => false, ); } + /** + * {@inheritDoc} + */ public function getParent(array $options) { return 'hidden'; } + /** + * Returns the name of this form. + * + * @return string 'csrf' + */ public function getName() { return 'csrf'; diff --git a/src/Symfony/Component/Form/Extension/Csrf/Type/FormTypeCsrfExtension.php b/src/Symfony/Component/Form/Extension/Csrf/Type/FormTypeCsrfExtension.php index fdeb05fc9b56..08e8c43c7d35 100644 --- a/src/Symfony/Component/Form/Extension/Csrf/Type/FormTypeCsrfExtension.php +++ b/src/Symfony/Component/Form/Extension/Csrf/Type/FormTypeCsrfExtension.php @@ -27,6 +27,12 @@ public function __construct($enabled = true, $fieldName = '_token') $this->fieldName = $fieldName; } + /** + * Adds a CSRF field to the form when the CSRF protection is enabled. + * + * @param FormBuilder $builder The form builder + * @param array $options The options + */ public function buildForm(FormBuilder $builder, array $options) { if ($options['csrf_protection']) { @@ -36,11 +42,19 @@ public function buildForm(FormBuilder $builder, array $options) $csrfOptions['csrf_provider'] = $options['csrf_provider']; } - $builder->add($options['csrf_field_name'], 'csrf', $csrfOptions) - ->setAttribute('csrf_field_name', $options['csrf_field_name']); + $builder + ->add($options['csrf_field_name'], 'csrf', $csrfOptions) + ->setAttribute('csrf_field_name', $options['csrf_field_name']) + ; } } + /** + * Removes CSRF fields from all the form views except the root one. + * + * @param FormView $view The form view + * @param FormInterface $form The form + */ public function buildViewBottomUp(FormView $view, FormInterface $form) { if ($view->hasParent() && $form->hasAttribute('csrf_field_name')) { @@ -52,16 +66,22 @@ public function buildViewBottomUp(FormView $view, FormInterface $form) } } + /** + * {@inheritDoc} + */ public function getDefaultOptions(array $options) { return array( - 'csrf_protection' => $this->enabled, - 'csrf_field_name' => $this->fieldName, - 'csrf_provider' => null, - 'intention' => 'unknown', + 'csrf_protection' => $this->enabled, + 'csrf_field_name' => $this->fieldName, + 'csrf_provider' => null, + 'intention' => 'unknown', ); } + /** + * {@inheritDoc} + */ public function getExtendedType() { return 'form'; diff --git a/src/Symfony/Component/Form/Form.php b/src/Symfony/Component/Form/Form.php index 414747d7e367..29ad867120f4 100644 --- a/src/Symfony/Component/Form/Form.php +++ b/src/Symfony/Component/Form/Form.php @@ -24,13 +24,6 @@ * * A form is composed of a validator schema and a widget form schema. * - * Form also takes care of CSRF protection by default. - * - * A CSRF secret can be any random string. If set to false, it disables the - * CSRF protection, and if set to null, it forces the form to use the global - * CSRF secret. If the global CSRF secret is also null, then a random one - * is generated on the fly. - * * To implement your own form fields, you need to have a thorough understanding * of the data flow within a form field. A form field stores its data in three * different representations: