CODEWITHSUNDEEP
symfonycsrf
Jakoss
Jakoss

Reputation: 5275

Invalid CSRF using symfony2 form type

I'm creating 2 forms in one action and these forms are submitted by jquery ajax to other 2 actions. Now, problem is - only first form works. Edit form throws that csrf token is invalid. Why is that happening? My code:

Creating forms:

$project = new Project();
      $addProjectForm = $this->createForm(new AddProjectType(), $project, [
        'action' => $this->generateUrl('tfpt_portfolio_versionhistory_addproject'),
        'method' => 'POST',
        'attr' => ['id' => 'newProjectForm']
      ]);
      $editProjectForm = $this->createForm(new EditProjectType(), $project, [
        'action' => $this->generateUrl('tfpt_portfolio_versionhistory_editproject'),
        'method' => 'POST',
        'attr' => ['id' => 'editProjectForm']
      ]);

Handling submit edit form (but add form is pretty much identical):

$project = new Project();
      $form = $this->createForm(new EditProjectType(), $project);

      $form->handleRequest($request);
      if($form->isValid()){
        //handle form
      }
}

The only diffrence between these 2 forms is that edit form have one more field - hidden id. Both are submitted by jquery like that:

var form = $("#editProjectForm")
            if(form.valid()){
                $("#loader").show();
                $.ajax({
                    type: form.attr('method'),
                    url: form.attr('action'),
                    data: form.serialize()
                }).done(function(data){
                       //result
                            }
                        });

And i display forms like that:

 {{ form_start(editProjectForm) }}
 {{ form_errors(editProjectForm) }}
 {{ form_widget(editProjectForm.name) }}
 {{ form_widget(editProjectForm.id) }}
 {{ form_rest(editProjectForm) }}
 {{ form_end(editProjectForm) }}

Can somebody point my mistake? Isn't it possible to embed 3 forms in one action? Or i have to generate CSRF other way?

@Edit: I updated symfony to the newest release and now it's working prefect. Seems like this version had a bug or i got some lack of vendors code. Anyway, problem resolved.

Upvotes: 2

Views: 580

Answers (1)

JGrinon
JGrinon

Reputation: 1453

I think you have to create two tokens in the controller:

$token_add = $this->get('form.csrf_provider')->generateCsrfToken('add');

$token_edit = $this->get('form.csrf_provider')->generateCsrfToken('edit');

and put in the view in hidden field. And then validate in the controller action that proccess the form

# Here you can validate the 'add' or 'edit' token
if (!$this->get('form.csrf_provider')->isCsrfTokenValid('add', $token)) {

    $respuesta = array('mensaje' => 'Oops! Invalid token.',
                       'token' => $token);
    return new Response(json_encode($respuesta));
}

Upvotes: 2

Related Questions