Symfony 1.4: Custom error message for CSRF in forms

99封情书 提交于 2019-11-30 09:27:26

The only way seems to be to overwrite sfForm::addCSRFProtection().

In /lib/form/BaseForm.class.php you can add this piece of code:

class BaseForm extends sfFormSymfony
{
    public function addCSRFProtection($secret = null)
    {
        parent::addCSRFProtection($secret);
        if (array_key_exists(self::$CSRFFieldName, $this->getValidatorSchema())) {
            $this->getValidator(self::$CSRFFieldName)->setMessage('csrf_attack', 'This session has expired. Please return to the home page and try again.');
        }
    }
}

After calling the parent method, you retrieve the validator associated with the CSRF field and change the message for the code csrf_attack.

Edit: You also need to check whether or not the validator exists. Some forms might have their CSRF protection disabled!

Hope this helps!

None of these answers explain how to remove the "CSRF token:" label that prefixes the error message in a non-hackish way (e.g. changing the token name is a bad idea!).

The only sound way of removing the label is to extend the CSRF validator to throw a global error. While we do this, we can also change the error message.

class myValidatorCSRFToken extends sfValidatorCSRFToken
{
  protected function configure($options = array(), $messages = array())
  {
    parent::configure($options, $messages);
    $this->addMessage('csrf_attack', 'Your session has expired. Please return to the home page and try again.');
  }

  protected function doClean($value)
  {
    try {
      return parent::doClean($value);
    } catch (sfValidatorError $e) {
      throw new sfValidatorErrorSchema($this, array($e));
    }
  }
}

Now, let's set our forms to use this validator by overriding sfForm::addCSRFProtection in BaseForm:

public function addCSRFProtection($secret = null)
{
  parent::addCSRFProtection($secret);
  if (isset($this->validatorSchema[self::$CSRFFieldName])) //addCSRFProtection doesn't always add a validator
  {
    $this->validatorSchema[self::$CSRFFieldName] = new myValidatorCSRFToken(array(
        'token' => $this->validatorSchema[self::$CSRFFieldName]->getOption('token')
    ));
  }
}
Dave Reed

In 1.4.4 I had to modify naag's code like so...

public function addCSRFProtection($secret = null)
{
  parent::addCSRFProtection($secret);
  if (isset($this->validatorSchema[self::$CSRFFieldName])) {
    $this->validatorSchema[self::$CSRFFieldName]->setMessage('csrf_attack', 'This session has expired. Please refresh and try again.');
  }
}

This got it working, the 'csrf token:' bit still appears in the error message though.

Improving on previous answers, here is the code I use:

public function addCSRFProtection($secret = null)
  {
    parent::addCSRFProtection($secret);
    if (isset($this->validatorSchema[self::$CSRFFieldName])) {
      $this->validatorSchema[self::$CSRFFieldName]->setMessage('csrf_attack', 'This session has expired. Please refresh and try again.');
      $this->getWidgetSchema()->getFormFormatter()->setNamedErrorRowFormatInARow("    <li>%error%</li>\n");
    }
  }

The default value for the NamedErrorRowFormatInARow is "<li>%name%: %error%</li>\n" adding the name and the colon. Be careful because it changes the value for all forms and all global errors.

You can also change the field by creating a custom form formatter and using it in the forms you want. You can go look at the documentation here for more info on this.

Use event dispatcher. Check this out http://bluehorn.co.nz/2010/07/15/how-to-change-csrf-attack-message-in-symfony-1-2/

I wrote it for Symfony 1.2, but using event dispatcher, so it still might work for Symfony 1.4.

I suppose the "csrf token:" prefix can be removed or customized by setting the label of the CSRF token field, globally of course.

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!