Skip to content

Commit a564728

Browse files
nicolas-grekasnicolas-grekas
committed
[FrameworkBundle] Automatically enable the CSRF if component *+ session* are loaded
1 parent 5fd1344 commit a564728

File tree

2 files changed

+16
-3
lines changed

2 files changed

+16
-3
lines changed

DependencyInjection/Configuration.php

Lines changed: 9 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -21,6 +21,7 @@
2121
use Symfony\Component\Form\Form;
2222
use Symfony\Component\Lock\Lock;
2323
use Symfony\Component\Lock\Store\SemaphoreStore;
24+
use Symfony\Component\Security\Csrf\CsrfTokenManagerInterface;
2425
use Symfony\Component\Serializer\Serializer;
2526
use Symfony\Component\Translation\Translator;
2627
use Symfony\Component\Validator\Validation;
@@ -142,7 +143,14 @@ private function addCsrfSection(ArrayNodeDefinition $rootNode)
142143
$rootNode
143144
->children()
144145
->arrayNode('csrf_protection')
145-
->canBeEnabled()
146+
->treatFalseLike(array('enabled' => false))
147+
->treatTrueLike(array('enabled' => true))
148+
->treatNullLike(array('enabled' => true))
149+
->addDefaultsIfNotSet()
150+
->children()
151+
// defaults to framework.session.enabled && !class_exists(FullStack::class) && interface_exists(CsrfTokenManagerInterface::class)
152+
->booleanNode('enabled')->defaultNull()->end()
153+
->end()
146154
->end()
147155
->end()
148156
;

DependencyInjection/FrameworkExtension.php

Lines changed: 7 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -17,6 +17,7 @@
1717
use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
1818
use Symfony\Bundle\FrameworkBundle\Controller\Controller;
1919
use Symfony\Bundle\FrameworkBundle\Routing\AnnotatedRouteControllerLoader;
20+
use Symfony\Bundle\FullStack;
2021
use Symfony\Component\Cache\Adapter\AbstractAdapter;
2122
use Symfony\Component\Cache\Adapter\AdapterInterface;
2223
use Symfony\Component\Cache\Adapter\ArrayAdapter;
@@ -63,6 +64,7 @@
6364
use Symfony\Component\Routing\Loader\AnnotationDirectoryLoader;
6465
use Symfony\Component\Routing\Loader\AnnotationFileLoader;
6566
use Symfony\Component\Security\Core\Security;
67+
use Symfony\Component\Security\Csrf\CsrfTokenManagerInterface;
6668
use Symfony\Component\Serializer\Encoder\DecoderInterface;
6769
use Symfony\Component\Serializer\Encoder\EncoderInterface;
6870
use Symfony\Component\Serializer\Mapping\Factory\CacheClassMetadataFactory;
@@ -229,6 +231,11 @@ public function load(array $configs, ContainerBuilder $container)
229231
$this->registerRequestConfiguration($config['request'], $container, $loader);
230232
}
231233

234+
if (null === $config['csrf_protection']['enabled']) {
235+
$config['csrf_protection']['enabled'] = $this->sessionConfigEnabled && !class_exists(FullStack::class) && interface_exists(CsrfTokenManagerInterface::class);
236+
}
237+
$this->registerSecurityCsrfConfiguration($config['csrf_protection'], $container, $loader);
238+
232239
if ($this->isConfigEnabled($container, $config['form'])) {
233240
if (!class_exists('Symfony\Component\Form\Form')) {
234241
throw new LogicException('Form support cannot be enabled as the Form component is not installed.');
@@ -249,8 +256,6 @@ public function load(array $configs, ContainerBuilder $container)
249256
$container->removeDefinition('console.command.form_debug');
250257
}
251258

252-
$this->registerSecurityCsrfConfiguration($config['csrf_protection'], $container, $loader);
253-
254259
if ($this->isConfigEnabled($container, $config['assets'])) {
255260
if (!class_exists('Symfony\Component\Asset\Package')) {
256261
throw new LogicException('Asset support cannot be enabled as the Asset component is not installed.');

0 commit comments

Comments
 (0)