8000 [FrameworkBundle] Don't auto-register form/csrf when the correspondin… · symfony/framework-bundle@15df69b · GitHub
[go: up one dir, main page]
Skip to content

Commit 15df69b

Browse files
nicolas-grekasnicolas-grekas
committed
[FrameworkBundle] Don't auto-register form/csrf when the corresponding components are not installed
1 parent f954349 commit 15df69b

File tree

9 files changed

+26
-11
lines changed

9 files changed

+26
-11
lines changed

DependencyInjection/Configuration.php

Lines changed: 6 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -211,7 +211,7 @@ private function addCsrfSection(ArrayNodeDefinition $rootNode): void
211211
->addDefaultsIfNotSet()
212212
->fixXmlConfig('stateless_token_id')
213213
->children()
214-
// defaults to framework.csrf_protection.stateless_token_ids || framework.session.enabled && !class_exists(FullStack::class) && interface_exists(CsrfTokenManagerInterface::class)
214+
// defaults to (framework.csrf_protection.stateless_token_ids || framework.session.enabled) && !class_exists(FullStack::class) && interface_exists(CsrfTokenManagerInterface::class)
215215
->scalarNode('enabled')->defaultNull()->end()
216216
->arrayNode('stateless_token_ids')
217217
->scalarPrototype()->end()
@@ -237,8 +237,12 @@ private function addFormSection(ArrayNodeDefinition $rootNode, callable $enableI
237237
->children()
238238
->arrayNode('form')
239239
->info('Form configuration')
240-
->{$enableIfStandalone('symfony/form', Form::class)}()
240+
->treatFalseLike(['enabled' => false])
241+
->treatTrueLike(['enabled' => true])
242+
->treatNullLike(['enabled' => true])
243+
->addDefaultsIfNotSet()
241244
->children()
245+
->scalarNode('enabled')->defaultNull()->end() // defaults to !class_exists(FullStack::class) && class_exists(Form::class)
242246
->arrayNode('csrf_protection')
243247
->treatFalseLike(['enabled' => false])
244248
->treatTrueLike(['enabled' => true])

DependencyInjection/FrameworkExtension.php

Lines changed: 13 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -278,6 +278,19 @@ public function load(array $configs, ContainerBuilder $container): void
278278
$this->readConfigEnabled('profiler', $container, $config['profiler']);
279279
$this->readConfigEnabled('workflows', $container, $config['workflows']);
280280

281+
// csrf depends on session or stateless token ids being registered
282+
if (null === $config['csrf_protection']['enabled']) {
283+
$this->writeConfigEnabled('csrf_protection', ($config['csrf_protection']['stateless_token_ids'] || $this->readConfigEnabled('session', $container, $config['session'])) && !class_exists(FullStack::class) && ContainerBuilder::willBeAvailable('symfony/security-csrf', CsrfTokenManagerInterface::class, ['symfony/framework-bundle']), $config['csrf_protection']);
284+
}
285+
286+
if (null === $config['form']['enabled']) {
287+
$this->writeConfigEnabled('form', !class_exists(FullStack::class) && ContainerBuilder::willBeAvailable('symfony/form', Form::class, ['symfony/framework-bundle']), $config['form']);
288+
}
289+
290+
if (null === $config['form']['csrf_protection']['enabled']) {
291+
$this->writeConfigEnabled('form.csrf_protection', $config['csrf_protection']['enabled'], $config['form']['csrf_protection']);
292+
}
293+
281294
// A translator must always be registered (as support is included by
282295
// default in the Form and Validator component). If disabled, an identity
283296
// translator will be used and everything will still work as expected.
@@ -466,10 +479,6 @@ public function load(array $configs, ContainerBuilder $container): void
466479
$container->removeDefinition('test.session.listener');
467480
}
468481

469-
// csrf depends on session being registered
470-
if (null === $config['csrf_protection']['enabled']) {
471-
$this->writeConfigEnabled('csrf_protection', $config['csrf_protection']['stateless_token_ids'] || $this->readConfigEnabled('session', $container, $config['session']) && !class_exists(FullStack::class) && ContainerBuilder::willBeAvailable('symfony/security-csrf', CsrfTokenManagerInterface::class, ['symfony/framework-bundle']), $config['csrf_protection']);
472-
}
473482
$this->registerSecurityCsrfConfiguration($config['csrf_protection'], $container, $loader);
474483

475484
// form depends on csrf being registered
@@ -754,10 +763,6 @@ private function registerFormConfiguration(array $config, ContainerBuilder $cont
754763
{
755764
$loader->load('form.php');
756765

757-
if (null === $config['form']['csrf_protection']['enabled']) {
758-
$this->writeConfigEnabled('form.csrf_protection', $config['csrf_protection']['enabled'], $config['form']['csrf_protection']);
759-
}
760-
761766
if ($this->readConfigEnabled('form.csrf_protection', $container, $config['form']['csrf_protection'])) {
762767
if (!$container->hasDefinition('security.csrf.token_generator')) {
763768
throw new \LogicException('To use form CSRF protection, "framework.csrf_protection" must be enabled.');

Tests/DependencyInjection/Fixtures/php/form_csrf_disabled.php

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,7 @@
44
'annotations' => false,
55
'csrf_protection' => false,
66
'form' => [
7+
'enabled' => true,
78
'csrf_protection' => true,
89
],
910
'http_method_override' => false,

Tests/DependencyInjection/Fixtures/php/form_no_csrf.php

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,7 @@
66
'handle_all_throwables' => true,
77
'php_errors' => ['log' => true],
88
'form' => [
9+
'enabled' => true,
910
'csrf_protection' => [
1011
'enabled' => false,
1112
],

Tests/DependencyInjection/Fixtures/php/full.php

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,7 @@
66
'enabled_locales' => ['fr', 'en'],
77
'csrf_protection' => true,
88
'form' => [
9+
'enabled' => true,
910
'csrf_protection' => [
1011
'field_name' => '_csrf',
1112
],

Tests/DependencyInjection/Fixtures/xml/full.xml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -10,7 +10,7 @@
1010
<framework:enabled-locale>fr</framework:enabled-locale>
1111
<framework:enabled-locale>en</framework:enabled-locale>
1212
<framework:csrf-protection />
13-
<framework:form>
13+
<framework:form enabled="true">
1414
<framework:csrf-protection field-name="_csrf"/>
1515
</framework:form>
1616
<framework:esi enabled="true" />

Tests/DependencyInjection/Fixtures/yml/form_csrf_disabled.yml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2,6 +2,7 @@ framework:
22
annotations: false
33
csrf_protection: false
44
form:
5+
enabled: true
56
csrf_protection: true
67
http_method_override: false
78
handle_all_throwables: true

Tests/DependencyInjection/Fixtures/yml/form_no_csrf.yml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -5,5 +5,6 @@ framework:
55
php_errors:
66
log: true
77
form:
8+
enabled: true
89
csrf_protection:
910
enabled: false

Tests/DependencyInjection/Fixtures/yml/full.yml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,7 @@ framework:
44
enabled_locales: ['fr', 'en']
55
csrf_protection: true
66
form:
7+
enabled: true
78
csrf_protection:
89
field_name: _csrf
910
http_method_override: false

0 commit comments

Comments
 (0)
0