6

I have a delete link to delete a Comment object by ID /comment/:id/delete

In order to secure this link I add a csrf token to the link

$CSRFTokenForm = new BaseForm();
$link = url_for(..., array('_csrf_token' => $CSRFTokenForm->getCSRFToken()));

and in the executeDelete i use the checkCSRFProtection() method, and it all works fine.

The only thing is that each comment is displayed by a partial, and each partial creates it's own BaseForm() in order to create the token, which is waste of time since they're all the same..

Do you have a better idea on how to make it more efficient, like maybe a static getCSRFToken() method or creating a global BaseForm()?

tamir
  • 3,207
  • 2
  • 33
  • 51

3 Answers3

5

Use SF's method => delete. It creates the CSRF token for you:

<?php 
    echo link_to('comment/' . $comment->getId() . '/delete', 
             array(
                 'method'  => 'delete', 
                 'confirm' => 'Do you really want to delete the comment??', 
                 'title'   => 'Delete'
             )
         ); 
?>
binarious
  • 4,568
  • 26
  • 35
  • and if i use `jq_link_to_remote()`? – tamir Jun 08 '11 at 08:53
  • I don't know the jQuery Plugin for Symfony. But you can try the same: `jq_link_to_remote($name, array('method' => 'delete', ...) , $html_options = array())` – binarious Jun 08 '11 at 09:02
  • It doesn't work.. anyway, I don't really like the way symfony outputs the delete link.. is there anyway to get the csrf without creating a new `BaseForm()` every time? – tamir Jun 08 '11 at 09:06
1

Yes it's a jQuery Plugin error. If you are using sfJqueryReloadedPlugin - 1.4.3 you need to change the source code of the file jQueryHelper in the plugin's directory and put "BaseForm" instead of "sfForm" in the "csrf => 1" sectuo

Pato Córdova
  • 11
  • 1
0

With the jQuery Plugin try:

jq_link_to_remote('comment/' . $comment->getId() . '/delete', array('csrf' => 1))

Found it in the sourcecode and they do it with a BaseForm instance, too.

binarious
  • 4,568
  • 26
  • 35