Add option to disable csrf protection

sulu · Apr 1, 2022 · ac37d40 · ac37d40
1 parent 8c6f977
commit ac37d40
Show file tree

Hide file tree

Showing 4 changed files with 15 additions and 2 deletions.
diff --git a/DependencyInjection/Configuration.php b/DependencyInjection/Configuration.php
@@ -33,6 +33,10 @@ public function getConfigTreeBuilder()
         $rootNode = $treeBuilder->getRootNode();
 
         $rootNode->children()
+            ->booleanNode('csrf_protection')
+                ->info('Disable csrf protection for dynamic forms.')
+                ->defaultValue(true)
+            ->end()
             ->scalarNode('sendinblue_api_key')->defaultValue(null)->end()
             ->scalarNode('mailchimp_api_key')->defaultValue(null)->end()
             ->scalarNode('mailchimp_subscribe_status')->defaultValue('subscribed')->end()

diff --git a/DependencyInjection/SuluFormExtension.php b/DependencyInjection/SuluFormExtension.php
@@ -133,6 +133,7 @@ public function load(array $configs, ContainerBuilder $container): void
 
         $mediaCollectionStrategy = $config['media_collection_strategy'] ? $config['media_collection_strategy'] : $config['media']['collection_strategy'];
 
+        $container->setParameter('sulu_form.csrf_protection', $config['csrf_protection']);
         $container->setParameter('sulu_form.mail.from', $config['mail']['from']);
         $container->setParameter('sulu_form.mail.to', $config['mail']['to']);
         $container->setParameter('sulu_form.mail.sender', $config['mail']['sender']);

diff --git a/Form/Builder.php b/Form/Builder.php
@@ -71,14 +71,20 @@ class Builder implements BuilderInterface
      */
     private $csrfTokenManager;
 
+    /**
+     * @var boolean
+     */
+    private $csrfProtection;
+
     public function __construct(
         RequestStack $requestStack,
         FormFieldTypePool $formFieldTypePool,
         TitleProviderPoolInterface $titleProviderPool,
         FormRepository $formRepository,
         FormFactory $formFactory,
         Checksum $checksum,
-        CsrfTokenManagerInterface $csrfTokenManager
+        CsrfTokenManagerInterface $csrfTokenManager,
+        bool $csrfProtection = true
     ) {
         $this->requestStack = $requestStack;
         $this->formFieldTypePool = $formFieldTypePool;
@@ -87,6 +93,7 @@ public function __construct(
         $this->formFactory = $formFactory;
         $this->checksum = $checksum;
         $this->csrfTokenManager = $csrfTokenManager;
+        $this->csrfProtection = $csrfProtection;
     }
 
     public function buildByRequest(Request $request): ?FormInterface
@@ -197,7 +204,7 @@ private function createForm(string $name, string $type, string $typeId, string $
         $typeName = $this->titleProviderPool->get($type)->getTitle($typeId, $locale);
 
         $recaptchaFields = $formEntity->getFieldsByType('recaptcha');
-        $csrfTokenProtection = true;
+        $csrfTokenProtection = $this->csrfProtection;
 
         if (\count($recaptchaFields)) {
             $csrfTokenProtection = false;

diff --git a/Resources/config/services.xml b/Resources/config/services.xml
@@ -84,6 +84,7 @@
             <argument type="service" id="form.factory" />
             <argument type="service" id="sulu_form.checksum" />
             <argument type="service" id="security.csrf.token_manager"/>
+            <argument>%sulu_form.csrf_protection%</argument>
         </service>
 
         <!-- Dynamic Form Type -->