What is the best way of creating functional tests to test forms with CSRF protection enabled in Symfony?
Currently I have to add the following code before each form submittion:
$form = new sfGuardFormSignin();
$token = $form->getCSRFToken();
$token_name = $form->getCSRFFieldName();
Then I add the $token and $token_name to form parameters like this:
call('/login', 'POST', array (
'signin' =>
array (
'username' => $username,
'password' => $password,
$token_name => $token,
)))
The option suggested in the documentation:
'_with_csrf' => true,
Doesn't work at all.
Is there more simple way to avoid adding token to each form tested manually? Or is there a way to turn off csrf checking when running tests?
The way I've described above is ok when you have to test 1-2 forms but if project contains tens unique forms it becomes a pain.
Of course, you can't use _with_csrf option if you call directly the url. You must pass from the form page, clicking on the submit button. Like so:
click('signin', array('signin' => array('username' => $username, 'password' => $password), array('_with_csrf' => true)))
The string 'signin' must be adapted to your form. You can also use a more label-independent string, like 'form#myform input[type="submit"]' instead of 'signin', adapting the id of your form.
As already suggested, you can disapble CSRF for login, it's really useful for forms that modifies data.