[英]Symfony 2 Add CSRF Token when using a form without a class
Firstly I'm a complete noobie with Symfony 2. The question sounds simple, if I try and put some context into why and how I need this it will start to get confusing. 首先,我是Symfony 2的一个完整的菜鸟。这个问题听起来很简单,如果我尝试在某些背景下说明为什么以及如何需要它,它将开始变得令人困惑。
In essence I've created a form, which I manually process, validate and insert using Doctrine etc. I am manually creating the form within a controller action (it's built dynamically from retrieved values from another object). 本质上,我已经创建了一个表单,我可以使用Doctrine等手动处理,验证和插入表单。我是在控制器动作中手动创建表单(它是从另一个对象的检索值中动态生成的)。 I'm assuming there maybe better ways to do this, but as I'm new to Symfony and days of trawling the net, I can't see any solutions to what I need to do.
我假设可能有更好的方法来进行此操作,但是由于我是Symfony的新手,而且几天来都在拖网捕捞,所以我看不到任何解决方案。
Therefore I'm not simply building a form against a class/entity etc and so I will manually need to add a CSRF token or some kind of protection. 因此,我并不是简单地针对类/实体等构建表单,因此我将需要手动添加CSRF令牌或某种保护。
In normal circumstances you would create the FormType and configure default options to have csrf_protection. 在正常情况下,您将创建FormType并将默认选项配置为具有csrf_protection。 Then a simple case of:
然后是一个简单的情况:
{{ form_widget(form._token) }}
and the csrf token is there. 并且csrf令牌在那里。
As I'm dynamically building the form I am not sure how I can manually create a csrf token for my form. 在动态构建表单时,我不确定如何为表单手动创建csrf令牌。 Has anyone had any experience of creating forms without a class and adding csrf protection?
有没有人有没有类创建表单和添加csrf保护的经验?
Kind regards Paul Pounder 亲切的问候保罗·庞德
I think what you are looking for is the following : 我认为您正在寻找以下内容:
This will render a CSRF token.
这将呈现CSRF令牌。 Use this function if you want CSRF protection without creating a form
如果要CSRF保护而不创建表单,请使用此功能
{{ csrf_token("intention") }}
For example: 例如:
<a href="{{ path('remove_stuff', {token: csrf_token('intention')}) }}">Remove</a>
To validate this token from a controller, you can do: 要从控制器验证此令牌,您可以执行以下操作:
if ($this->get('token') !== $this->get('security.csrf.token_manager')->getToken('intention')->getValue()) {
throw new \Symfony\Component\Security\Core\Exception\InvalidCsrfTokenException('Invalid CSRF token');
}
To simplify check the token on Symfony 2.6 or newer 为了简化检查Symfony 2.6或更高版本上的令牌
if ($this->isCsrfTokenValid('intention', $submittedToken)) {
// ... do something, like deleting an object
}
Connection between Form Type and token: 表单类型和令牌之间的连接:
{{ csrf_token("task_item_intention") }}
and in Form Type: 并在表单类型中:
class TaskType extends AbstractType
{
// ...
public function setDefaultOptions(OptionsResolverInterface $resolver)
{
$resolver->setDefaults(array(
'data_class' => 'Acme\TaskBundle\Entity\Task',
'csrf_protection' => true,
'csrf_field_name' => '_token',
// a unique key to help generate the secret token
'intention' => 'task_item_intention',
));
}
// ...
}
In (my) normal circumstances you create a form and do not specifically configure CSRF - it happens automatically, and you use form_rest(form)
or form_end(form)
to render the hidden input with CSRF token. 在正常情况下,您会创建一个表单并没有专门配置
form_rest(form)
它会自动发生,并且您使用form_rest(form)
或form_end(form)
来使用CSRF令牌呈现隐藏的输入。 I do not believe that this is any different for a form not backed by a model. 我认为对于没有模型支持的表单,这没有什么不同。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.