Volt template not refreshing CSRF token on validation errors

Hi all,

I'm having some issues with csrf validation when updating existing entities.

I'm adding the field to the form with:

     $csrf = new Hidden('csrf');
     $csrf->addValidator(new Identical([
          'value' => $this->security->getSessionToken(),
          'message' => 'CSRF validation failed'
    ]));
    $csrf->clear();

And then in the volt template:

{{ form.render('csrf', ['value': security.getToken()]) }}

The problem occurs when I submit the form with a validation error (say missing a required field). The correct error message appears, but when I hit the submit button again, the CSRF now fails.

Checking the page source confirms that the CSRF on the form never changes which explains the error.

Strangely enough, this doesn't occur when using the same form but not passing it an existing entity (ie I'm creating a new one).

$form = new AccountForm();

vs

$form = new AccountForm($account, ['edit' => 1]);

The first one gets a fresh csrf when validation fails and the latter does not.

This is the check in the controller:

if ($this->request->isPost() && $form->isValid($this->request->getPost())) {

I'm at my wits' end at this point! I must be missing something but I don't get it. Why would the page csrf refresh in one case and not the other?

Any thoughts?



46.6k

Compare your implementation to Vokuro.



454

Vokuro's editing of an existing model (User) doesn't check the form validity. UsersController:107 only checks if the request is a post and never whether $form->isValid() which is what I do.



46.6k

Yes this seems like a large oversight. Would you like to make that 1 line pull request?

Have you found any solution for CSRF refresh?? I have exacly the same problem with form entity.