Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

[Security][SecurityBundle] Use csrf_token_id instead of deprecated intention #16722

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 4 commits into from
Closed

[Security][SecurityBundle] Use csrf_token_id instead of deprecated intention #16722

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
a4823b7
[Security] Deprecate the intention option in authentication listeners…
jakzal Nov 28, 2015
ae4d588
[SecurityBundle] Use the csrf_token_id instead of the deprecated inte…
jakzal Nov 28, 2015
ac35350
Document the `intention` setting deprecation in the upgrade file
jakzal Nov 28, 2015
50856ca
[Security] Throw an exception if both "intention" and "csrf_token_id"…
jakzal Nov 28, 2015
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
[SecurityBundle] Use the csrf_token_id instead of the deprecated inte… 
…ntion
  • Loading branch information
@jakzal
jakzal committed Nov 28, 2015
commit ae4d5880787981d2f7bc8185cca77faa9219f484
1 change: 1 addition & 0 deletions 1 src/Symfony/Bundle/SecurityBundle/CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ CHANGELOG

* deprecated the `key` setting of `anonymous`, `remember_me` and `http_digest`
in favor of the `secret` setting.
* deprecated the `intention` firewall listener setting in favor of the `csrf_token_id`.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this change also documented in the upgrade file?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Now it is ;)


2.6.0
-----
Expand Down
2 changes: 1 addition & 1 deletion 2 src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/FormLoginFactory.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ public function __construct()
$this->addOption('username_parameter', '_username');
$this->addOption('password_parameter', '_password');
$this->addOption('csrf_parameter', '_csrf_token');
$this->addOption('intention', 'authenticate');
$this->addOption('csrf_token_id', 'authenticate');
$this->addOption('post_only', true);
}

Expand Down
2 changes: 1 addition & 1 deletion 2 src/Symfony/Bundle/SecurityBundle/DependencyInjection/SecurityExtension.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -299,7 +299,7 @@ private function createFirewall(ContainerBuilder $container, $id, $firewall, &$a
$listener = $container->setDefinition($listenerId, new DefinitionDecorator('security.logout_listener'));
$listener->replaceArgument(3, array(
'csrf_parameter' => $firewall['logout']['csrf_parameter'],
'intention' => $firewall['logout']['csrf_token_id'],
'csrf_token_id' => $firewall['logout']['csrf_token_id'],
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this is wrong as the LogoutListener doesn't handle an intention option (or we need to change the listener too which probably is better): https://github.com/symfony/symfony/blob/2.8/src/Symfony/Component/Security/Http/Firewall/LogoutListener.php#L62-L66

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm making changes to the security component just now :)

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

'logout_path' => $firewall['logout']['path'],
));
$listeners[] = new Reference($listenerId);
Expand Down
4 changes: 2 additions & 2 deletions 4 .../Bundle/SecurityBundle/Tests/Functional/Bundle/CsrfFormLoginBundle/Form/UserLoginType.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -79,12 +79,12 @@ public function buildForm(FormBuilderInterface $builder, array $options)
*/
public function configureOptions(OptionsResolver $resolver)
{
/* Note: the form's intention must correspond to that for the form login
/* Note: the form's csrf_token_id must correspond to that for the form login
* listener in order for the CSRF token to validate successfully.
*/

$resolver->setDefaults(array(
'intention' => 'authenticate',
'csrf_token_id' => 'authenticate',
));
}
}
Morty Proxy This is a proxified and sanitized view of the page, visit original site.