NotificationsYou must be signed in to change notification settings
Fork9.7k
Star30.8k

[FrameworkBundle] Automatically enable the CSRF protection if CSRF manager exists#25151

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Jump to bottom

Merged

fabpot merged 1 commit intosymfony:3.4fromsroze:enable-csrf-if-token-manager-exists

Nov 24, 2017

Merged

[FrameworkBundle] Automatically enable the CSRF protection if CSRF manager exists#25151

fabpot merged 1 commit intosymfony:3.4fromsroze:enable-csrf-if-token-manager-exists

Nov 24, 2017

Conversation

Copy link

Contributor

sroze commentedNov 24, 2017

Q	A
Branch?	3.4
Bug fix?	no
New feature?	yes
BC breaks?	no
Deprecations?	no
Tests pass?	yes
Fixed tickets	ø
License	MIT

This will automatically enable the CSRF protection ifCsrfTokenManagerInterface exists.

Automatically enable the CSRF protection if CSRF manager exists

fd43406

carsonbot added Status: Needs Review FrameworkBundle Feature labels

Nov 24, 2017

sroze mentioned this pull request

Nov 24, 2017

Proposing Flex-specific error messages in the controller shortcuts#25133

Merged

carsonbot added Status: Reviewed and removed Status: Needs Review labels

Nov 24, 2017

fabpot approved these changes

Nov 24, 2017

View reviewed changes

nicolas-grekas approved these changes

Nov 24, 2017

View reviewed changes

chalasr approved these changes

Nov 24, 2017

View reviewed changes

Copy link

ContributorAuthor

sroze commentedNov 24, 2017

Travis failure is not related :)

xabbuh added this to the3.4 milestone

Nov 24, 2017

Copy link

Member

fabpot commentedNov 24, 2017

Thank you@sroze.

fabpot merged commitfd43406 intosymfony:3.4

Nov 24, 2017

fabpot added a commit that referenced this pull request

Nov 24, 2017

bug#25151[FrameworkBundle] Automatically enable the CSRF protection…

d5f0428

… if CSRF manager exists (sroze)This PR was merged into the 3.4 branch.Discussion----------[FrameworkBundle] Automatically enable the CSRF protection if CSRF manager exists| Q             | A| ------------- | ---| Branch?       | 3.4| Bug fix?      | no| New feature?  | yes| BC breaks?    | no| Deprecations? | no| Tests pass?   | yes| Fixed tickets | ø| License       | MITThis will automatically enable the CSRF protection if `CsrfTokenManagerInterface` exists.Commits-------fd43406 Automatically enable the CSRF protection if CSRF manager exists

This was referencedNov 30, 2017

Release v3.4.0#25223

Merged

Release v4.0.0#25224

Merged

weaverryan mentioned this pull request

Dec 14, 2017

Fixing wrong class_exists on interface#25502

Merged

fabpot added a commit that referenced this pull request

Dec 14, 2017

bug#25502Fixing wrong class_exists on interface (weaverryan)

5fd5f19

This PR was merged into the 3.4 branch.Discussion----------Fixing wrong class_exists on interface| Q             | A| ------------- | ---| Branch?       | 3.4| Bug fix?      | yes| New feature?  | no| BC breaks?    | no| Deprecations? | no| Tests pass?   | yes| Fixed tickets | none| License       | MIT| Doc PR        |symfony/symfony-docs#8873 already does not mention changing anything in the configThis was a bug introduced in#25151 on the 3.4 branch. It's... pretty self-explanatory I hope :).Cheers!Commits-------be75bd9 Fixing wrong class_exists on interface

xabbuh mentioned this pull request

Dec 14, 2017

Adding Symfony4 supportFriendsOfSymfony/FOSUserBundle#2639

Merged

Copy link

Member

nicolas-grekas commentedDec 14, 2017•
edited
Loading

Is this really a good idea?
All tests are broken now, unless we patch them to explicitly disable CSRF.
seehttps://travis-ci.org/symfony/symfony/jobs/316664330
Not a real issue on the tests side (except that someone needs to fix them actually),
but is this really the DX we want?
ping@weaverryan

Copy link

Contributor

Tobion commentedDec 15, 2017

Auto-enabling CSRF without it working because session are not enabled, sounds like a bad DX

LogicException: CSRF protection needs sessions to be enabled.

How about only enabling it when session is enabled as well? Or even better, we implement#13464

Copy link

Member

fabpot commentedDec 15, 2017

I'm going to revert this change as it was broken anyway before the fix today, so it never worked. That will give us some time to implement it properly.

fabpot added a commit that referenced this pull request

Dec 15, 2017

Revert "bug#25151[FrameworkBundle] Automatically enable the CSRF pr…

903f120

…otection if CSRF manager exists (sroze)"This reverts commitd5f0428, reversingchanges made toe52825e.

fabpot added a commit that referenced this pull request

Dec 15, 2017

Merge branch '3.4' into 4.0

a91b5a5

* 3.4:  Revert "bug#25151 [FrameworkBundle] Automatically enable the CSRF protection if CSRF manager exists (sroze)"  Revert "bug#25502 Fixing wrong class_exists on interface (weaverryan)"

fabpot added a commit that referenced this pull request

Dec 15, 2017

Merge branch '4.0'

b9d7315

* 4.0:  Revert "bug#25151 [FrameworkBundle] Automatically enable the CSRF protection if CSRF manager exists (sroze)"  Revert "bug#25502 Fixing wrong class_exists on interface (weaverryan)"

sroze deleted the enable-csrf-if-token-manager-exists branch

December 15, 2017 10:14

weaverryan mentioned this pull request

Dec 15, 2017

Removing csrf_protection now that is is auto-enabledsymfony/recipes#314

Closed