Merge pull request #611 from FriendsOfSymfony/disable_csrf

added a form extension to disable CSRF validation
FriendsOfSymfony · Nov 28, 2013 · 7abbc2c · 7abbc2c
2 parents 0b4a1ac + d21e4a1
commit 7abbc2c
Show file tree

Hide file tree

Showing 6 changed files with 89 additions and 0 deletions.
diff --git a/DependencyInjection/Configuration.php b/DependencyInjection/Configuration.php
@@ -41,6 +41,7 @@ public function getConfigTreeBuilder()
 
         $rootNode
             ->children()
+                ->scalarNode('disable_csrf_role')->defaultNull()->end()
                 ->arrayNode('access_denied_listener')
                     ->useAttributeAsKey('name')
                     ->prototype('boolean')->end()

diff --git a/DependencyInjection/FOSRestExtension.php b/DependencyInjection/FOSRestExtension.php
@@ -42,6 +42,11 @@ public function load(array $configs, ContainerBuilder $container)
         $loader->load('util.xml');
         $loader->load('request.xml');
 
+        if (!empty($config['disable_csrf_role'])) {
+            $loader->load('forms.xml');
+            $container->setParameter('fos_rest.disable_csrf_role', $config['disable_csrf_role']);
+        }
+
         $container->setParameter('fos_rest.cache_dir', $config['cache_dir']);
 
         $formats = array();

diff --git a/Form/Extension/DisableCSRFExtension.php b/Form/Extension/DisableCSRFExtension.php
@@ -0,0 +1,53 @@
+<?php
+
+/*
+ * This file is part of the FOSRestBundle package.
+ *
+ * (c) FriendsOfSymfony <http://friendsofsymfony.github.com/>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace FOS\RestBundle\Form\Extension;
+
+use Symfony\Component\Form\AbstractTypeExtension;
+use Symfony\Component\OptionsResolver\OptionsResolverInterface;
+use Symfony\Component\Security\Core\SecurityContextInterface;
+
+/**
+ * Class DisableCSRFExtension
+ *
+ * @author Grégoire Pineau
+ */
+class DisableCSRFExtension extends AbstractTypeExtension
+{
+    private $securityContext;
+    private $role;
+
+    public function __construct(SecurityContextInterface $securityContext, $role)
+    {
+        $this->securityContext = $securityContext;
+        $this->role = $role;
+    }
+
+    public function setDefaultOptions(OptionsResolverInterface $resolver)
+    {
+        if (!$this->securityContext->getToken()) {
+            return;
+        }
+
+        if (!$this->securityContext->isGranted($this->role)) {
+            return;
+        }
+
+        $resolver->setDefaults(array(
+            'csrf_protection' => false,
+        ));
+    }
+
+    public function getExtendedType()
+    {
+        return 'form';
+    }
+}
diff --git a/Resources/config/forms.xml b/Resources/config/forms.xml
@@ -0,0 +1,14 @@
+<?xml version="1.0" ?>
+
+<container xmlns="http://symfony.com/schema/dic/services"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://symfony.com/schema/dic/services http://symfony.com/schema/dic/services/services-1.0.xsd">
+
+    <services>
+        <service id="fos_rest.form.extension.csrf_disable" class="FOS\RestBundle\Form\Extension\DisableCSRFExtension">
+            <tag name="form.type_extension" alias="form" />
+            <argument type="service" id="security.context" />
+            <argument>%fos_rest.disable_csrf_role%</argument>
+        </service>
+    </services>
+</container>
diff --git a/Resources/doc/2-the-view-layer.md b/Resources/doc/2-the-view-layer.md
@@ -1,5 +1,6 @@
 Step 2: The view layer
 ======================
+
 ### Introduction
 
 The view layer makes it possible to write `format` (html, json, xml, etc) agnostic
@@ -304,5 +305,19 @@ fos_rest:
             callback_param:       false
 ```
 
+#### CSRF validation
+
+When building a single application that should handle forms both via HTML forms as well
+as via a REST API, one runs into a problem with CSRF token validation. In most cases it
+is necessary to enable them for HTML forms, but it makes no sense to use them for a REST
+API. For this reason there is a form extension to disable CSRF validation for users
+with a specific role. This of course requires that REST API users authenticate themselves
+and get a special role assigned.
+
+```yaml
+fos_rest:
+    disable_csrf_role: ROLE_API
+```
+
 ## That was it!
 [Return to the index](index.md) or continue reading about [Listener support](3-listener-support.md).
diff --git a/Resources/doc/configuration-reference.md b/Resources/doc/configuration-reference.md
@@ -3,6 +3,7 @@ Full default configuration
 
 ```yaml
 fos_rest:
+    disable_csrf_role:    ~
     access_denied_listener:
 
         # Prototype