From e0a49ba49a8c6b1ca770cc8cfc659975212f2b7f Mon Sep 17 00:00:00 2001 From: Antoine Lamirault Date: Tue, 7 May 2024 16:13:00 +0200 Subject: [PATCH] [Security] Add support for dynamic CSRF id with Expression in `#[IsCsrfTokenValid]` --- security/csrf.rst | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/security/csrf.rst b/security/csrf.rst index 76aaf9ea4bf..715ed8a5283 100644 --- a/security/csrf.rst +++ b/security/csrf.rst @@ -181,6 +181,32 @@ attribute on the controller action:: // ... do something, like deleting an object } +Suppose you want a CSRF token per item, so in the template you have something like the following: + +.. code-block:: html+twig + +
+ {# the argument of csrf_token() is a dynamic id string used to generate the token #} + + + +
+ +The :class:`Symfony\\Component\\Security\\Http\\Attribute\\IsCsrfTokenValid` +attribute also accepts an :class:`Symfony\\Component\\ExpressionLanguage\\Expression` +object evaluated to the id:: + + use Symfony\Component\HttpFoundation\Request; + use Symfony\Component\HttpFoundation\Response; + use Symfony\Component\Security\Http\Attribute\IsCsrfTokenValid; + // ... + + #[IsCsrfTokenValid(new Expression('"delete-item-" ~ args["post"].id'), tokenKey: 'token')] + public function delete(Post $post): Response + { + // ... do something, like deleting an object + } + .. versionadded:: 7.1 The :class:`Symfony\\Component\\Security\\Http\\Attribute\\IsCsrfTokenValid`