开发者

Symfony: secure delete link with CSRFProtection

开发者 https://www.devze.com 2023-03-11 00:22 出处:网络
I have a delete link to delete a Comment object by ID /comment/:id/delete In order to secure this link I add a csrf token to the link

I have a delete link to delete a Comment object by ID /comment/:id/delete

In order to secure this link I add a csrf token to the link

$CSRFTokenForm = new BaseForm();
$link = url_for(..., array('_csrf_token' => $CSRFTokenForm->getCSRFToken()));

and in the executeDelete i use the checkCSRFProtection() method, and it all works fine.

The only thing is that each comment is displayed by a partial, and each partial creates it's own BaseForm() in order to create the token, which is waste of time since they're all the same..

Do you have a better idea on how to make it more efficie开发者_Python百科nt, like maybe a static getCSRFToken() method or creating a global BaseForm()?


Use SF's method => delete. It creates the CSRF token for you:

<?php 
    echo link_to('comment/' . $comment->getId() . '/delete', 
             array(
                 'method'  => 'delete', 
                 'confirm' => 'Do you really want to delete the comment??', 
                 'title'   => 'Delete'
             )
         ); 
?>


Yes it's a jQuery Plugin error. If you are using sfJqueryReloadedPlugin - 1.4.3 you need to change the source code of the file jQueryHelper in the plugin's directory and put "BaseForm" instead of "sfForm" in the "csrf => 1" sectuo


With the jQuery Plugin try:

jq_link_to_remote('comment/' . $comment->getId() . '/delete', array('csrf' => 1))

Found it in the sourcecode and they do it with a BaseForm instance, too.

0

精彩评论

暂无评论...
验证码 换一张
取 消