From 62c2f025cbf029fddaf3b22f74b4379929f3737e Mon Sep 17 00:00:00 2001 From: Henry Snoek Date: Thu, 28 May 2015 12:41:39 +0200 Subject: [PATCH 1/4] 4668 document isCsrfTokenValid --- book/controller.rst | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/book/controller.rst b/book/controller.rst index 7ec7bd4ae3a..12f8a3416da 100644 --- a/book/controller.rst +++ b/book/controller.rst @@ -803,6 +803,18 @@ Just like when creating a controller for a route, the order of the arguments of order of the arguments, Symfony will still pass the correct value to each variable. +Checking the Validity of a CSRF Token +------------------------------------- + +Sometimes you want to use CSRF protection in an action where you don't want to use a +Symfony form. + +If, for example, you're doing a DELETE action, you can use ``isCsrfTokenValid()``:: + + if ($this->isCsrfTokenValid('token_id', 'TOKEN')) { + // ... do something, like deleting an object + } + Final Thoughts -------------- From af4ebaa72c27305bc77ea9c7fb702715e21d0e90 Mon Sep 17 00:00:00 2001 From: Henry Snoek Date: Thu, 28 May 2015 15:24:14 +0200 Subject: [PATCH 2/4] 4668 show non-shortcut alternative, use variable argument for submitted token --- book/controller.rst | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/book/controller.rst b/book/controller.rst index 12f8a3416da..898e7cd755a 100644 --- a/book/controller.rst +++ b/book/controller.rst @@ -811,10 +811,19 @@ Symfony form. If, for example, you're doing a DELETE action, you can use ``isCsrfTokenValid()``:: - if ($this->isCsrfTokenValid('token_id', 'TOKEN')) { + if ($this->isCsrfTokenValid('token_id', $submittedToken)) { // ... do something, like deleting an object } +.. versionadded:: 2.6 + The ``isCsrfTokenValid()`` shortcut method was added in Symfony 2.6. + +Previously you would use:: + + use Symfony\Component\Security\Csrf\CsrfToken; + + $this->get('security.csrf.token_manager')->isTokenValid(new CsrfToken('token_id', 'TOKEN')); + Final Thoughts -------------- From e4d9d495894de8d181dc1233620f637bc294b613 Mon Sep 17 00:00:00 2001 From: Henry Snoek Date: Sat, 30 May 2015 14:25:27 +0200 Subject: [PATCH 3/4] 4668 link method to API docs, use 'was introduced' instead of 'was added' --- book/controller.rst | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/book/controller.rst b/book/controller.rst index 898e7cd755a..9e3eece3012 100644 --- a/book/controller.rst +++ b/book/controller.rst @@ -440,7 +440,7 @@ If you want to redirect the user to another page, use the ``redirectToRoute()`` } .. versionadded:: 2.6 - The ``redirectToRoute()`` method was added in Symfony 2.6. Previously (and still now), you + The ``redirectToRoute()`` method was introduced in Symfony 2.6. Previously (and still now), you could use ``redirect()`` and ``generateUrl()`` together for this (see the example above). Or, if you want to redirect externally, just use ``redirect()`` and pass it the URL:: @@ -809,14 +809,15 @@ Checking the Validity of a CSRF Token Sometimes you want to use CSRF protection in an action where you don't want to use a Symfony form. -If, for example, you're doing a DELETE action, you can use ``isCsrfTokenValid()``:: +If, for example, you're doing a DELETE action, you can use the :method:`Symfony\\Bundle\\FrameworkBundle\\Controller\\Controller::isCsrfTokenValid` +method to check the CSRF token:: if ($this->isCsrfTokenValid('token_id', $submittedToken)) { // ... do something, like deleting an object } .. versionadded:: 2.6 - The ``isCsrfTokenValid()`` shortcut method was added in Symfony 2.6. + The ``isCsrfTokenValid()`` shortcut method was introduced in Symfony 2.6. Previously you would use:: From 2de7c82015a857f94103a82ea7882b7cc047ac35 Mon Sep 17 00:00:00 2001 From: Henry Snoek Date: Sun, 31 May 2015 10:26:51 +0200 Subject: [PATCH 4/4] 4668 move method reference to own line --- book/controller.rst | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/book/controller.rst b/book/controller.rst index 9e3eece3012..0916dba6e61 100644 --- a/book/controller.rst +++ b/book/controller.rst @@ -809,7 +809,8 @@ Checking the Validity of a CSRF Token Sometimes you want to use CSRF protection in an action where you don't want to use a Symfony form. -If, for example, you're doing a DELETE action, you can use the :method:`Symfony\\Bundle\\FrameworkBundle\\Controller\\Controller::isCsrfTokenValid` +If, for example, you're doing a DELETE action, you can use the +:method:`Symfony\\Bundle\\FrameworkBundle\\Controller\\Controller::isCsrfTokenValid` method to check the CSRF token:: if ($this->isCsrfTokenValid('token_id', $submittedToken)) {