This forum is in READ-ONLY mode.
You can look around, but if you want to ask a new question, please use Stack Overflow.

CSRF protection from list page

Discussion relating to version 1.2.x stable

CSRF protection from list page

by SomeDude » Wed Feb 11, 2009 6:23 pm

Hi,


I have generated forms via Doctrine, then modified them a little bit and added "delete" link right next to the items in the index page, but if I press delete I get csrf error as it was never sent. What can I do to fix this problem?
SomeDude
Member
 
Posts: 56
Joined: Wed Feb 20, 2008 7:44 am

Re: CSRF protection from list page

by vjousse » Thu Feb 12, 2009 3:07 pm

Did you use link_to() to do the "delete" link ?
vjousse
Member
 
Posts: 42
Joined: Thu Feb 12, 2009 2:50 pm
Location: Le Mans - France

Re: CSRF protection from list page

by SomeDude » Thu Feb 12, 2009 6:15 pm

no I used url_for()
SomeDude
Member
 
Posts: 56
Joined: Wed Feb 20, 2008 7:44 am

Re: CSRF protection from list page

by vjousse » Thu Feb 12, 2009 6:16 pm

That's the problem, try to make your link with link_to()

Since symfony 1.2, the CSRF token is added with the link_to() function.
vjousse
Member
 
Posts: 42
Joined: Thu Feb 12, 2009 2:50 pm
Location: Le Mans - France

Re: CSRF protection from list page

by SomeDude » Fri Feb 13, 2009 10:19 pm

Thank you!
SomeDude
Member
 
Posts: 56
Joined: Wed Feb 20, 2008 7:44 am

Re: CSRF protection from list page

by gianluca78 » Wed May 13, 2009 6:17 pm

I have the same problem...

In the template indexSuccess, I have added a link to delete the selected item.

This is the code

Code: Select all
<?php
echo link_to('<img src="../images/icone/elimina.png" alt="Elimina" title="Elimina"/>',
'corso/delete?id='.$corso->getId(),
array('confirm' => 'Stai cancellando un corso programmato senza possibilit&agrave; di recuperare i dati, confermi?'))
?>


and the error:

_csrf_token [Required.]


bye bye 8-)
gianluca78
Senior Member
 
Posts: 125
Joined: Wed Jan 07, 2009 7:23 pm
Location: Palermo, Italy

Re: CSRF protection from list page

by Leprosy » Thu Jul 09, 2009 2:54 am

even with "link_to" the error persists for me :(~ :-(~ :sad:
Leprosy
Junior Member
 
Posts: 6
Joined: Tue Jul 07, 2009 11:27 pm

Re: CSRF protection from list page

by charline » Wed Jul 15, 2009 5:35 pm

I had a similar problem, I found this solution, it may be useful for you...

Code: Select all
  <?php $form = new sfForm(); if ($form->isCSRFProtected()): ?>
    <?php $token = $form->getCSRFToken(); ?>
  <?php endif; ?>
(...)
<li class="sf_admin_action_delete">
<a href="/customers/<?php echo $crd_customer->getIdCustomer(); ?>" onclick="if (confirm('Are you sure?')) { var f = document.createElement('form'); f.style.display = 'none'; this.parentNode.appendChild(f); f.method = 'post'; f.action = this.href;var m = document.createElement('input'); m.setAttribute('type', 'hidden'); m.setAttribute('name', 'sf_method'); m.setAttribute('value', 'delete'); f.appendChild(m);var m = document.createElement('input'); m.setAttribute('type', 'hidden'); m.setAttribute('name', '_csrf_token'); m.setAttribute('value', '<?php echo $token; ?>'); f.appendChild(m);f.submit(); };return false;">Delete</a>
</li>


You probably can create a url_for or link_to with that, that would be cleaner..
User avatar
charline
Member
 
Posts: 77
Joined: Thu May 07, 2009 12:40 pm
Location: Ireland

Re: CSRF protection from list page

by stormsson » Thu Jul 16, 2009 7:19 pm

if i don't remember badly, i read somewhere (that i cannot find now) that if you make a custom form template you need to manually put the csrf field too.

In my case i did so putting something like $form['csrf_token']->render()
and then the error disappeared
stormsson
Faithful Member
 
Posts: 220
Joined: Wed Apr 08, 2009 4:50 pm

Re: CSRF protection from list page

by pedrocasado » Mon Apr 30, 2012 3:30 pm

i have the same problem.. i dont know why, i've created a new action and everything works fine, but when i try to use inside a partial, the link_to with the method=delete doesnt work.. :(
pedrocasado
Junior Member
 
Posts: 9
Joined: Sat Dec 11, 2010 12:18 am