SensioFrameworkExtraBundle
SensioFrameworkExtraBundle copied to clipboard
sensiolabs
Added CSRF validation (closes #362, #375)
update:
- rebased on master
- annotation properties are maked private
- added default intention equal to
default - updated docs
- updated tests
- created own exception. I doubt that reusing AccessDeniedException is good idea because of it depends on attributes and subject and it was created for authorization errors. Also this new exception allow pass valid token - useful for handling invalid tokens on client - we can refresh token, ask user and allow retry last action with new token.
rebased on master again
ping @fabpot
questions that required to be resolved:
1a. should I add and register custom exception handler for converting InvalidCsrfTokenException to 403 response? Invalid csrf produces 500 error for now.
1b. AccessDeniedException is not good idea because reasons described in https://github.com/sensiolabs/SensioFrameworkExtraBundle/pull/430#issuecomment-249187438
1c. Or extends from HttpException from http-kernel?
2. my listener reflects logic from security listener. But is it possible check availability of the required services inside configuration and enable/disable required annotations depends on services availability. Like https://github.com/symfony/symfony/blob/master/src/Symfony/Bundle/FrameworkBundle/DependencyInjection/Configuration.php#L512 but we need check services.
@fabpot can you make review and give advices to my previous questions, please? Would be nice finish this PR.
Closing as this repository is not maintained anymore. As of Symfony 6.2, all features have been moved to Symfony core now. See #783
