Skip to content

Commit

Permalink
Merge branch '2.7' into 2.8
Browse files Browse the repository at this point in the history
Conflicts:
	reference/configuration/security.rst
  • Loading branch information
xabbuh committed Jan 18, 2016
2 parents 2d31a0f + f355248 commit f792232
Show file tree
Hide file tree
Showing 8 changed files with 42 additions and 22 deletions.
10 changes: 7 additions & 3 deletions book/forms.rst
Original file line number Diff line number Diff line change
Expand Up @@ -1812,7 +1812,7 @@ The CSRF token can be customized on a form-by-form basis. For example::
'csrf_protection' => true,
'csrf_field_name' => '_token',
// a unique key to help generate the secret token
'intention' => 'task_item',
'csrf_token_id' => 'task_item',
));
}

Expand All @@ -1828,8 +1828,12 @@ section.

.. note::

The ``intention`` option is optional but greatly enhances the security of
the generated token by making it different for each form.
The ``csrf_token_id`` option is optional but greatly enhances the security
of the generated token by making it different for each form.

.. versionadded:: 2.4
The ``csrf_token_id`` option was introduced in Symfony 2.4. Prior, you
had to use the ``intention`` option.

.. caution::

Expand Down
4 changes: 2 additions & 2 deletions components/expression_language/index.rst
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
Expression Language
===================
ExpressionLanguage
==================

.. toctree::
:maxdepth: 2
Expand Down
2 changes: 1 addition & 1 deletion cookbook/configuration/override_dir_structure.rst
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@ Override the ``cache`` Directory
--------------------------------

You can change the default cache directory by overriding the ``getCacheDir`` method
in the ``AppKernel`` class of you application::
in the ``AppKernel`` class of your application::

// app/AppKernel.php

Expand Down
4 changes: 2 additions & 2 deletions cookbook/form/form_customization.rst
Original file line number Diff line number Diff line change
Expand Up @@ -774,8 +774,8 @@ will be able to change the widget for each task as follows:

{% block _tasks_entry_widget %}
<tr>
<td>{{ form_widget(task.task) }}</td>
<td>{{ form_widget(task.dueDate) }}</td>
<td>{{ form_widget(form.task) }}</td>
<td>{{ form_widget(form.dueDate) }}</td>
</tr>
{% endblock %}

Expand Down
4 changes: 2 additions & 2 deletions cookbook/profiler/data_collector.rst
Original file line number Diff line number Diff line change
Expand Up @@ -160,7 +160,7 @@ block and set the value of two variables called ``icon`` and ``text``:
{% endset %}

{# the 'link' value set to 'false' means that this panel doesn't
show a section in the web profiler (default is 'true'). #}
show a section in the web profiler #}
{{ include('@WebProfiler/Profiler/toolbar_item.html.twig', { link: false }) }}
{% endblock %}

Expand Down Expand Up @@ -203,7 +203,7 @@ must also define additional blocks:
</div>
{% endset %}

{{ include('@WebProfiler/Profiler/toolbar_item.html.twig') }}
{{ include('@WebProfiler/Profiler/toolbar_item.html.twig', { 'link': true }) }}
{% endblock %}

{% block head %}
Expand Down
8 changes: 8 additions & 0 deletions cookbook/security/acl_advanced.rst
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,14 @@ Security Identities
This is analog to the object identity, but represents a user, or a role in
your application. Each role, or user has its own security identity.

.. caution::

For users, the security identity is based on the username. This means that,
if for any reason, a user's username was to change, you must ensure its
security identity is updated too. The
:method:`MutableAclProvider::updateUserSecurityIdentity() <Symfony\\Component\\Security\\Acl\\Dbal\\MutableAclProvider::updateUserSecurityIdentity>`
method is there to handle the update.

Database Table Structure
------------------------

Expand Down
22 changes: 15 additions & 7 deletions cookbook/security/csrf_in_login_form.rst
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@ provider available in the Security component:
# ...
form_login:
# ...
csrf_provider: security.csrf.token_manager
csrf_token_generator: security.csrf.token_manager
.. code-block:: xml
Expand All @@ -50,7 +50,7 @@ provider available in the Security component:
<firewall name="secured_area">
<!-- ... -->
<form-login csrf-provider="security.csrf.token_manager" />
<form-login csrf-token-generator="security.csrf.token_manager" />
</firewall>
</config>
</srv:container>
Expand All @@ -66,12 +66,16 @@ provider available in the Security component:
// ...
'form_login' => array(
// ...
'csrf_provider' => 'security.csrf.token_manager',
'csrf_token_generator' => 'security.csrf.token_manager',
),
),
),
));
.. versionadded:: 2.4
The ``csrf_token_generator`` option was introduced in Symfony 2.4. Prior,
you had to use the ``csrf_provider`` option.

The Security component can be configured further, but this is all information
it needs to be able to use CSRF in the login form.

Expand Down Expand Up @@ -124,7 +128,7 @@ After this, you have protected your login form against CSRF attacks.
.. tip::

You can change the name of the field by setting ``csrf_parameter`` and change
the token ID by setting ``intention`` in your configuration:
the token ID by setting ``csrf_token_id`` in your configuration:

.. configuration-block::

Expand All @@ -140,7 +144,7 @@ After this, you have protected your login form against CSRF attacks.
form_login:
# ...
csrf_parameter: _csrf_security_token
intention: a_private_string
csrf_token_id: a_private_string
.. code-block:: xml
Expand All @@ -158,7 +162,7 @@ After this, you have protected your login form against CSRF attacks.
<firewall name="secured_area">
<!-- ... -->
<form-login csrf-parameter="_csrf_security_token"
intention="a_private_string"
csrf-token-id="a_private_string"
/>
</firewall>
</config>
Expand All @@ -176,11 +180,15 @@ After this, you have protected your login form against CSRF attacks.
'form_login' => array(
// ...
'csrf_parameter' => '_csrf_security_token',
'intention' => 'a_private_string',
'csrf_token_id' => 'a_private_string'
),
),
),
));
.. versionadded:: 2.4
The ``csrf_token_id`` option was introduced in Symfony 2.4. Prior, you
had to use the ``intention`` option.

.. _`Cross-site request forgery`: https://en.wikipedia.org/wiki/Cross-site_request_forgery
.. _`Forging Login Requests`: https://en.wikipedia.org/wiki/Cross-site_request_forgery#Forging_login_requests
10 changes: 5 additions & 5 deletions reference/configuration/security.rst
Original file line number Diff line number Diff line change
Expand Up @@ -161,9 +161,9 @@ Each part will be explained in the next section.
password_parameter: _password
# csrf token options
csrf_parameter: _csrf_token
intention: authenticate
csrf_provider: my.csrf_provider.id
csrf_parameter: _csrf_token
csrf_token_id: authenticate
csrf_token_generator: my.csrf_token_generator.id
# by default, the login form *must* be a POST, not a GET
post_only: true
Expand Down Expand Up @@ -209,8 +209,8 @@ Each part will be explained in the next section.
context: ~
logout:
csrf_parameter: _csrf_token
csrf_provider: ~
intention: logout
csrf_token_generator: ~
csrf_token_id: logout
path: /logout
target: /
success_handler: ~
Expand Down

0 comments on commit f792232

Please sign in to comment.