You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
feature #60007 [Security] Add methods param in IsCsrfTokenValid attribute (Oviglo)
This PR was squashed before being merged into the 7.3 branch.
Discussion
----------
[Security] Add methods param in IsCsrfTokenValid attribute
| Q | A
| ------------- | ---
| Branch? | 7.3
| Bug fix? | no
| New feature? | yes
| Deprecations? | no
| License | MIT
I use a controller action to show a confirmation message for delete entity, i think it could be usefull to add 'methods' param in `#[IsCsrfTokenValid]` attribute.
```php
#[Route('/delete/{id}', name: 'delete', methods: ['GET', 'DELETE'], requirements: ['id' => Requirement::UUID])]
public function delete(Request $request, User $user, UserManager $userManager): Response
{
if ($request->isMethod('DELETE') && $this->isCsrfTokenValid('delete'.$user->getId(), $request->request->get('_token'))) {
$userManager->remove($user);
return $this->redirectToRoute('admin_user_index');
}
return $this->render('/admin/user/delete.html.twig', [
'entity' => $user,
]);
}
```
```php
#[Route('/delete/{id}', name: 'delete', methods: ['GET', 'DELETE'], requirements: ['id' => Requirement::UUID])]
#[IsCsrfTokenValid(new Expression('"delete" ~ args["user"].getId()'), methods: ['DELETE'])]
public function delete(Request $request, User $user, UserManager $userManager): Response
{
if ($request->isMethod('DELETE')) {
$userManager->remove($user);
return $this->redirectToRoute('admin_user_index');
}
return $this->render('/admin/user/delete.html.twig', [
'entity' => $user,
]);
}
```
The `isCsrfTokenValid`function is ignored if request method is not settings in param.
What do you think about this ?
Commits
-------
640e7a4d991 [Security] Add methods param in IsCsrfTokenValid attribute
0 commit comments