diff --git a/security/csrf.rst b/security/csrf.rst index 76aaf9ea4bf..715ed8a5283 100644 --- a/security/csrf.rst +++ b/security/csrf.rst @@ -181,6 +181,32 @@ attribute on the controller action:: // ... do something, like deleting an object } +Suppose you want a CSRF token per item, so in the template you have something like the following: + +.. code-block:: html+twig + +
+ {# the argument of csrf_token() is a dynamic id string used to generate the token #} + + + +
+ +The :class:`Symfony\\Component\\Security\\Http\\Attribute\\IsCsrfTokenValid` +attribute also accepts an :class:`Symfony\\Component\\ExpressionLanguage\\Expression` +object evaluated to the id:: + + use Symfony\Component\HttpFoundation\Request; + use Symfony\Component\HttpFoundation\Response; + use Symfony\Component\Security\Http\Attribute\IsCsrfTokenValid; + // ... + + #[IsCsrfTokenValid(new Expression('"delete-item-" ~ args["post"].id'), tokenKey: 'token')] + public function delete(Post $post): Response + { + // ... do something, like deleting an object + } + .. versionadded:: 7.1 The :class:`Symfony\\Component\\Security\\Http\\Attribute\\IsCsrfTokenValid`