Skip to content

csrf_token now can be used without installing the Form component #9488

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 2 commits into from
Closed

csrf_token now can be used without installing the Form component #9488

wants to merge 2 commits into from

Conversation

javiereguiluz
Copy link
Member

@javiereguiluz javiereguiluz commented Mar 23, 2018
edited
Loading

This fixes #9485.

@xabbuh in your original code (https://github.com/symfony/symfony/pull/25197/files) the function was added to Twig Bridge so ... could you please verify if installing just security-csrf is enough to use this function or if we need to install some other package? Thanks!

@javiereguiluz javiereguiluz added this to the 4.1 milestone Mar 23, 2018
xabbuh
xabbuh reviewed Mar 23, 2018
View reviewed changes
security/csrf.rst

.. code-block:: terminal

$ composer require security-csrf form
$ composer require security-csrf
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we now need to show how to install forms for the section where we integrate CSRF tokens into a Symfony form? Or is it too obvious that you do of course need the Form component for them?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree with you that it would be too obvious to install form first because you are literally creating a Symfony Form in that section.

@xabbuh
Copy link
Member

xabbuh commented Mar 23, 2018

I think it's safe to assume that someone using Twig in a Symfony project has installed the TwigBundle which in turn pulls in the Twig bridge.

@xabbuh
Copy link
Member

xabbuh commented Mar 23, 2018

Well, what of course could happen is that someone installs the Security CSRF component 4.1 while still using TwigBundle and TwigBridge 4.0. Do we need to take care of that?

@javiereguiluz
Copy link
Member Author

@xabbuh thanks for sharing these details. I'd say that we should not explain this info because it's like an edge case and unrelated to Symfony ... it's more about managing Composer dependencies in your project.

@javiereguiluz
Copy link
Member Author

@xabbuh I finally added a versionadded directive mentioning that before 4.1 you needed to install Symfony Forms even if you didn't use them.

@javiereguiluz javiereguiluz mentioned this pull request Mar 26, 2018
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@xabbuh xabbuh xabbuh left review comments

Assignees
No one assigned
Labels
Security Status: Reviewed
Projects
None yet
Milestone
4.1
Development

Successfully merging this pull request may close these issues.

[FrameworkBundle][TwigBridge] make csrf_token() usable without forms
3 participants
@javiereguiluz @xabbuh @carsonbot