Search code examples
symfony1symfony-1.4

symfony 1.4 how to turn off csrf protection for one registration form?

I'm using both sfDoctrineGuard and sfForkedDoctrineApply. I've written a module that permits a logged-in user to create a child-user which inherits a few of the parent's profile settings. It works great, the way it is written, however I have to turn off csrf protection for the whole app (in settings) in order to get it working because when it is turned on, it (rightfully, I might add) detects a csrf attack. So, I need a way to turn it off, or at least catch and remove the validation.

I've tried many techniques, none of which have worked. Including:

      $this->disableLocalCSRFProtection();

in the form. Problem is, it's a custom form and the parent config is being called which is injecting the csrf protection.

I've read a few solutions that I think are pointing in the right direction: Symfony 1.4: Custom error message for CSRF in forms but they don't address this specific problem.

Suggestions and solutions are welcome. Thanks in advance.

Solution

  • The base sfForm constructor configures whether enabled and what will be the CSRFSecret. 

    class sfForm implements ArrayAccess, Iterator, Countable
{
  public function __construct($defaults = array(), $options = array(), $CSRFSecret = null)
  {
    $this->setDefaults($defaults);
    $this->options = $options;
    $this->localCSRFSecret = $CSRFSecret;

    $this->validatorSchema = new sfValidatorSchema();
    $this->widgetSchema    = new sfWidgetFormSchema();
    $this->errorSchema     = new sfValidatorErrorSchema($this->validatorSchema);

    $this->setup();
    $this->configure();

    $this->addCSRFProtection($this->localCSRFSecret);
    $this->resetFormFields();
  }
}

    In such cases, where disabling local CSRF protection via disableLocalCSRFProtection() doesn't work, you may try to create the form instance with a "false" CSRFSecret".

    Example:

    $myForm = new myForm(array(), array(), false);

    Edit: (The above suggestion didn't work for the poster)

    Could you please try, just commenting the "csrf_secret" configuration in your application's settings.yml. After commenting this line, don't forget to clear symfony's cache. To verify that CSRF protection is disabled globally, you may check the value of the "sf_csrf_secret" configuration as follows;

    var_dump(sfConfig::get('sf_csrf_secret'))

    This should give you a boolean false, which implies in deed all CSRF protection is disabled.