vendor/symfony/form/Extension/Csrf/Type/FormTypeCsrfExtension.php line 73

Open in your IDE?
  1. <?php
  3. /*
  4. * This file is part of the Symfony package.
  5. *
  6. * (c) Fabien Potencier <fabien@symfony.com>
  7. *
  8. * For the full copyright and license information, please view the LICENSE
  9. * file that was distributed with this source code.
  10. */
  12. namespace Symfony\Component\Form\Extension\Csrf\Type;
  14. use Symfony\Component\Form\AbstractTypeExtension;
  15. use Symfony\Component\Form\Extension\Core\Type\FormType;
  16. use Symfony\Component\Form\Extension\Core\Type\HiddenType;
  17. use Symfony\Component\Form\Extension\Csrf\EventListener\CsrfValidationListener;
  18. use Symfony\Component\Form\FormBuilderInterface;
  19. use Symfony\Component\Form\FormInterface;
  20. use Symfony\Component\Form\FormView;
  21. use Symfony\Component\Form\Util\ServerParams;
  22. use Symfony\Component\OptionsResolver\OptionsResolver;
  23. use Symfony\Component\Security\Csrf\CsrfTokenManagerInterface;
  24. use Symfony\Contracts\Translation\TranslatorInterface;
  26. /**
  27. * @author Bernhard Schussek <bschussek@gmail.com>
  28. */
  29. class FormTypeCsrfExtension extends AbstractTypeExtension
  30. {
  31. private $defaultTokenManager;
  32. private $defaultEnabled;
  33. private $defaultFieldName;
  34. private $translator;
  35. private $translationDomain;
  36. private $serverParams;
  38. public function __construct(CsrfTokenManagerInterface $defaultTokenManager, bool $defaultEnabled = true, string $defaultFieldName = '_token', ?TranslatorInterface $translator = null, ?string $translationDomain = null, ?ServerParams $serverParams = null)
  39. {
  40. $this->defaultTokenManager = $defaultTokenManager;
  41. $this->defaultEnabled = $defaultEnabled;
  42. $this->defaultFieldName = $defaultFieldName;
  43. $this->translator = $translator;
  44. $this->translationDomain = $translationDomain;
  45. $this->serverParams = $serverParams;
  46. }
  48. /**
  49. * Adds a CSRF field to the form when the CSRF protection is enabled.
  50. */
  51. public function buildForm(FormBuilderInterface $builder, array $options)
  52. {
  53. if (!$options['csrf_protection']) {
  54. return;
  55. }
  57. $builder
  58. ->addEventSubscriber(new CsrfValidationListener(
  59. $options['csrf_field_name'],
  60. $options['csrf_token_manager'],
  61. $options['csrf_token_id'] ?: ($builder->getName() ?: \get_class($builder->getType()->getInnerType())),
  62. $options['csrf_message'],
  63. $this->translator,
  64. $this->translationDomain,
  65. $this->serverParams
  66. ))
  67. ;
  68. }
  70. /**
  71. * Adds a CSRF field to the root form view.
  72. */
  73. public function finishView(FormView $view, FormInterface $form, array $options)
  74. {
  75. if ($options['csrf_protection'] && !$view->parent && $options['compound']) {
  76. $factory = $form->getConfig()->getFormFactory();
  77. $tokenId = $options['csrf_token_id'] ?: ($form->getName() ?: \get_class($form->getConfig()->getType()->getInnerType()));
  78. $data = (string) $options['csrf_token_manager']->getToken($tokenId);
  80. $csrfForm = $factory->createNamed($options['csrf_field_name'], HiddenType::class, $data, [
  81. 'block_prefix' => 'csrf_token',
  82. 'mapped' => false,
  83. ]);
  85. $view->children[$options['csrf_field_name']] = $csrfForm->createView($view);
  86. }
  87. }
  89. /**
  90. * {@inheritdoc}
  91. */
  92. public function configureOptions(OptionsResolver $resolver)
  93. {
  94. $resolver->setDefaults([
  95. 'csrf_protection' => $this->defaultEnabled,
  96. 'csrf_field_name' => $this->defaultFieldName,
  97. 'csrf_message' => 'The CSRF token is invalid. Please try to resubmit the form.',
  98. 'csrf_token_manager' => $this->defaultTokenManager,
  99. 'csrf_token_id' => null,
  100. ]);
  101. }
  103. /**
  104. * {@inheritdoc}
  105. */
  106. public static function getExtendedTypes(): iterable
  107. {
  108. return [FormType::class];
  109. }
  110. }