To participate you must create an account on apostrophenow.org. If you have already done so, click Login.

Ticket #46 (closed defect: fixed)

Opened 2 years ago

Last modified 2 years ago

csrf Token missing from forms

Reported by: cberg Owned by: boutell
Priority: minor Milestone: 1.0
Component: apostrophePlugin Version: Symfony 1.4
Keywords: Cc:
Symfony version:

Description

When creating a plain new project using Symfony 1.4, the CSRF token is automatically activated.

As Apostrophe's forms are hand rendered, they're missing a call to the sfForm::renderHiddenFields method, to render those fields. Instead of adding, the CSRF token could be removed for these forms.

I could copy the whole templates into my own project and add the method call to all relevant forms, but then I would have to merge template changes myself.

Change History

Changed 2 years ago by boutell

  • status changed from new to closed
  • resolution set to fixed

This is fixed (our forms are now CSRF compatible).

I have also opened ticket  http://trac.apostrophenow.org/ticket/60 to look into the situation with various non-form-based actions and CSRF, but basic compatibility with the CSRF feature of Symfony has been achieved.

I'll be contacting symfony-devs about some interesting issues I found in the CSRF support, it's possibly a little more robust than is entirely helpful

Changed 2 years ago by agilbert

  • milestone set to 1.0

Testing the batch modify plugin. Moving old, closed tickets to the 1.0 milestone so the roadmap is accurate.

Note: See TracTickets for help on using tickets.