Skip to content

Commit

Permalink
Merge pull request #1974 from kenjis/add-csrf_auto_token
Browse files Browse the repository at this point in the history 
Add security.csrf_auto_token option to add CSRF token automatically
  • Loading branch information
@WanWizard
WanWizard committed Feb 10, 2016
2 parents 0e3e432 + f7f39e7 commit f560115
Show file tree
Hide file tree
Showing 2 changed files with 68 additions and 0 deletions.
6 changes: 6 additions & 0 deletions classes/form/instance.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -140,6 +140,12 @@ public function open($attributes = array(), array $hidden = array())
$form .= PHP_EOL.$this->hidden($field, $value);
}

// Add CSRF token automatically
if (Config::get('security.csrf_auto_token', false))
{
$form .= PHP_EOL.\Form::csrf();
}

return $form;
}

Expand Down
62 changes: 62 additions & 0 deletions tests/form.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -275,4 +275,66 @@ public function test_label_auto_id_false()

\Config::set('form.auto_id', $config);
}

/**
* Tests Form::open()
*
* @test
*/
public function test_open()
{
$form = \Form::forge(__METHOD__);

$output = $form->open('uri/to/form');
$expected = '<form action="uri/to/form" accept-charset="utf-8" method="post">';
$this->assertEquals($expected, $output);
}

/**
* Tests Form::open()
*
* @test
*/
public function test_open_auto_csrf_token()
{
$config = \Config::get('security.csrf_auto_token');
\Config::set('security.csrf_auto_token', true);

This comment has been minimized.

Sign in to view

Copy link
@it-can

it-can Feb 10, 2016

Contributor

Maybe also set (my tests failed because I have a different name here)

\Config::set('security.csrf_token_key', 'fuel_csrf_token');

This comment has been minimized.

Sign in to view

Copy link
@kenjis

kenjis Feb 11, 2016

Contributor

How about this? #1975
$form = \Form::forge(__METHOD__);

$output = $form->open('uri/to/form');
$expected = '<form action="uri/to/form" accept-charset="utf-8" method="post">'.PHP_EOL.'<input name="fuel_csrf_token" value="%s" type="hidden" id="form_fuel_csrf_token" />';
$this->assertStringMatchesFormat($expected, $output);

\Config::set('security.csrf_auto_token', $config);
}

/**
* Tests Form::open()
*
* @test
*/
public function test_open_static()
{
$output = Form::open('uri/to/form');
$expected = '<form action="uri/to/form" accept-charset="utf-8" method="post">';
$this->assertEquals($expected, $output);
}

/**
* Tests Form::open()
*
* @test
*/
public function test_open_auto_csrf_token_static()
{
$config = \Config::get('security.csrf_auto_token');
\Config::set('security.csrf_auto_token', true);

This comment has been minimized.

Sign in to view

Copy link
@it-can

it-can Feb 10, 2016

Contributor

Maybe also set (my tests failed because I have a different name here)

\Config::set('security.csrf_token_key', 'fuel_csrf_token');
$output = Form::open('uri/to/form');
$expected = '<form action="uri/to/form" accept-charset="utf-8" method="post">'.PHP_EOL.'<input name="fuel_csrf_token" value="%s" type="hidden" id="form_fuel_csrf_token" />';
$this->assertStringMatchesFormat($expected, $output);

\Config::set('security.csrf_auto_token', $config);
}
}

0 comments on commit f560115

Please sign in to comment.