From 0878c510d1f055e7fe13f7980999dbb224ac71b4 Mon Sep 17 00:00:00 2001 From: Henry Snoek Date: Thu, 28 May 2015 12:41:39 +0200 Subject: [PATCH 1/6] 4668 document isCsrfTokenValid --- book/controller.rst | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/book/controller.rst b/book/controller.rst index 7ec7bd4ae3a..12f8a3416da 100644 --- a/book/controller.rst +++ b/book/controller.rst @@ -803,6 +803,18 @@ Just like when creating a controller for a route, the order of the arguments of order of the arguments, Symfony will still pass the correct value to each variable. +Checking the Validity of a CSRF Token +------------------------------------- + +Sometimes you want to use CSRF protection in an action where you don't want to use a +Symfony form. + +If, for example, you're doing a DELETE action, you can use ``isCsrfTokenValid()``:: + + if ($this->isCsrfTokenValid('token_id', 'TOKEN')) { + // ... do something, like deleting an object + } + Final Thoughts -------------- From 91b3f99159508115e4a6c0b9e75bf455f2c866b9 Mon Sep 17 00:00:00 2001 From: Henry Snoek Date: Thu, 28 May 2015 15:24:14 +0200 Subject: [PATCH 2/6] 4668 show non-shortcut alternative, use variable argument for submitted token --- book/controller.rst | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/book/controller.rst b/book/controller.rst index 12f8a3416da..898e7cd755a 100644 --- a/book/controller.rst +++ b/book/controller.rst @@ -811,10 +811,19 @@ Symfony form. If, for example, you're doing a DELETE action, you can use ``isCsrfTokenValid()``:: - if ($this->isCsrfTokenValid('token_id', 'TOKEN')) { + if ($this->isCsrfTokenValid('token_id', $submittedToken)) { // ... do something, like deleting an object } +.. versionadded:: 2.6 + The ``isCsrfTokenValid()`` shortcut method was added in Symfony 2.6. + +Previously you would use:: + + use Symfony\Component\Security\Csrf\CsrfToken; + + $this->get('security.csrf.token_manager')->isTokenValid(new CsrfToken('token_id', 'TOKEN')); + Final Thoughts -------------- From b7d133f85d220b318e914212877a09cb3a0191d8 Mon Sep 17 00:00:00 2001 From: Henry Snoek Date: Sat, 30 May 2015 14:25:27 +0200 Subject: [PATCH 3/6] 4668 link method to API docs, use 'was introduced' instead of 'was added' --- book/controller.rst | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/book/controller.rst b/book/controller.rst index 898e7cd755a..9e3eece3012 100644 --- a/book/controller.rst +++ b/book/controller.rst @@ -440,7 +440,7 @@ If you want to redirect the user to another page, use the ``redirectToRoute()`` } .. versionadded:: 2.6 - The ``redirectToRoute()`` method was added in Symfony 2.6. Previously (and still now), you + The ``redirectToRoute()`` method was introduced in Symfony 2.6. Previously (and still now), you could use ``redirect()`` and ``generateUrl()`` together for this (see the example above). Or, if you want to redirect externally, just use ``redirect()`` and pass it the URL:: @@ -809,14 +809,15 @@ Checking the Validity of a CSRF Token Sometimes you want to use CSRF protection in an action where you don't want to use a Symfony form. -If, for example, you're doing a DELETE action, you can use ``isCsrfTokenValid()``:: +If, for example, you're doing a DELETE action, you can use the :method:`Symfony\\Bundle\\FrameworkBundle\\Controller\\Controller::isCsrfTokenValid` +method to check the CSRF token:: if ($this->isCsrfTokenValid('token_id', $submittedToken)) { // ... do something, like deleting an object } .. versionadded:: 2.6 - The ``isCsrfTokenValid()`` shortcut method was added in Symfony 2.6. + The ``isCsrfTokenValid()`` shortcut method was introduced in Symfony 2.6. Previously you would use:: From 42c78fde8a65f1f89f5a2f60649dba258736bc4f Mon Sep 17 00:00:00 2001 From: Henry Snoek Date: Sun, 31 May 2015 10:26:51 +0200 Subject: [PATCH 4/6] 4668 move method reference to own line --- book/controller.rst | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/book/controller.rst b/book/controller.rst index 9e3eece3012..0916dba6e61 100644 --- a/book/controller.rst +++ b/book/controller.rst @@ -809,7 +809,8 @@ Checking the Validity of a CSRF Token Sometimes you want to use CSRF protection in an action where you don't want to use a Symfony form. -If, for example, you're doing a DELETE action, you can use the :method:`Symfony\\Bundle\\FrameworkBundle\\Controller\\Controller::isCsrfTokenValid` +If, for example, you're doing a DELETE action, you can use the +:method:`Symfony\\Bundle\\FrameworkBundle\\Controller\\Controller::isCsrfTokenValid` method to check the CSRF token:: if ($this->isCsrfTokenValid('token_id', $submittedToken)) { From 1d0aa8e2af33d51e8834d9cf628cc887ef41a05c Mon Sep 17 00:00:00 2001 From: Henry Snoek Date: Tue, 28 Jul 2015 20:14:45 +0200 Subject: [PATCH 5/6] 4668 rephrased two sentences --- book/controller.rst | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/book/controller.rst b/book/controller.rst index 0916dba6e61..84a726eaaed 100644 --- a/book/controller.rst +++ b/book/controller.rst @@ -806,8 +806,8 @@ variable. Checking the Validity of a CSRF Token ------------------------------------- -Sometimes you want to use CSRF protection in an action where you don't want to use a -Symfony form. +Sometimes you want to use CSRF protection in an action where you don't want to use the +Symfony Form component. If, for example, you're doing a DELETE action, you can use the :method:`Symfony\\Bundle\\FrameworkBundle\\Controller\\Controller::isCsrfTokenValid` @@ -820,7 +820,7 @@ method to check the CSRF token:: .. versionadded:: 2.6 The ``isCsrfTokenValid()`` shortcut method was introduced in Symfony 2.6. -Previously you would use:: +It is equivalent to executing the following code:: use Symfony\Component\Security\Csrf\CsrfToken; From e719d563f967a14c5f0d8d72b2e6b15114d726c6 Mon Sep 17 00:00:00 2001 From: Henry Snoek Date: Tue, 28 Jul 2015 21:32:34 +0200 Subject: [PATCH 6/6] 4668 change title --- book/controller.rst | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/book/controller.rst b/book/controller.rst index 84a726eaaed..18555aeb521 100644 --- a/book/controller.rst +++ b/book/controller.rst @@ -803,8 +803,8 @@ Just like when creating a controller for a route, the order of the arguments of order of the arguments, Symfony will still pass the correct value to each variable. -Checking the Validity of a CSRF Token -------------------------------------- +Validating a CSRF Token +----------------------- Sometimes you want to use CSRF protection in an action where you don't want to use the Symfony Form component. @@ -819,8 +819,7 @@ method to check the CSRF token:: .. versionadded:: 2.6 The ``isCsrfTokenValid()`` shortcut method was introduced in Symfony 2.6. - -It is equivalent to executing the following code:: + It is equivalent to executing the following code:: use Symfony\Component\Security\Csrf\CsrfToken;