Creating forms manually in Symfony2, but still use its CSRF and isValid() functionalily

Question

OK, I googled this hard, but everything I find talks about Symfony forms in context of regular Symfony form processing (e.g. form_widget(), creating FormType class, etc.). I have many such forms in my Symfony project, they work great.

BUT:

I also have some pretty complex AJAX forms that I would like to build manually (using plain old HTML and JS). I do still want to utilize Symfony's Form validation capabilities and CSRF protection. However, for some reason I can't get CSRF working when using isValid() for manually created forms.

This is an example of what I am trying to accomplish:

In my view controller I set _token:

$_token = $this->get('form.csrf_provider')->generateCsrfToken('form');

In my view (manually created form) (getting _token from my view controller):

<html>
  <form method="post">
    <input type="hidden" name="form[_token]" value="{{ _token }}">
    <input type="hidden" name="form[id]" value="1">
    <input type="submit" value="Submit">
  </form>
</html>

In my action controller (when form submitted, I am TRYING to do the following):

//Create form (for validation purposes)
$form = $this->get('form.factory')
  ->createBuilder('form', array('id' => $request->get('id')))
  ->add('id', 'hidden')
  ->getForm();

//Bind form
$form->bind($request)

//Validate form
if($form->isValid()) {
  //... save data
}

//Return response...

For some reason I can't get isValid() working, I suspect that my _token is thing not properly used, but I am out of ideas why. Have anyone actually made manually forms work with Symfony components? Does anyone have any suggestions on how to make this work?

Basically, what I want to accomplish is:

1. Manually create HTML form (with CSFR protection and without TWIG form widget functions)

2. Use Symfony's form functionality to validate that form

Thank you.

Answer 1

I think you're mismatching the intention here (argument passed to your CSRF provider). I tried generating form as you wrote above and break-pointed the generation of token. The value was unknown.

So, try passing unknown instead of form to your generateCsrfToken call and hopefully it should work. ;)

EDIT:

I have just finished some digging and it now does make perfect sense.

Look at the class FormTypeCsrfExtension. Apparently, it's the default extension used for CSRF token protection. On the line #80 (might not be this one exactly in your case) there is method setDefaultOptions that is usually overridden in your form types. Anyhow, there is a default options called intention that has a value of unknown ==> the one we are seeing here.

My guess is that you could easily override this option in your own form type just by passing intention and setting your own value (just as you would pass csrf_protection => false when you would want to disable CSRF protection altogether).

Answer 2

Note: intention is no longer default to be unknown. When I checked this out in symfony 2.3, it would appear it to default to the type name:

$options['intention'] ?: ($builder->getName() ?: get_class($builder->getType()->getInnerType()))

It would be good if there was some programatic way to get the intention out that is used instead of having to rely on these defaults.

Answer 3

I have seen that this is resolved but I have some form troubles too and saw an other post here :

symfony2 CSRF invalid

And their solution seems to me better than making my own token :

There is no problem using {{ form_widget(form) }} to build your custom form. All you have to do is add the _token like this: {{ form_widget(form._token) }}