CSRF token error occurs on record creation after applying symfony/security-http security patch
rafa0805 opened this issue · comments
Environment
Sonata packages
CSRF token errors occurs when creating a new record throw sonata after updating sonata-project/admin-bundle with dependencies. This issue occurs when applying symfony/security-http security patch released on v5.3.31.
$ composer show --latest 'sonata-project/*'
Color legend:
- patch or minor release available - update recommended
- major release available - update possible
- up to date version
Direct dependencies required in composer.json:
sonata-project/doctrine-orm-admin-bundle 4.15.0 4.15.0 Integrate Doctrine ORM into the SonataAdminBundle
Transitive dependencies not required in composer.json:
sonata-project/admin-bundle 4.29.1 4.29.1 The missing Symfony Admin Generator
sonata-project/block-bundle 5.1.0 5.1.0 Symfony SonataBlockBundle
sonata-project/doctrine-extensions 2.3.0 2.3.0 Doctrine2 behavioral extensions
sonata-project/exporter 3.3.0 3.3.0 Lightweight Exporter library
sonata-project/form-extensions 2.3.0 2.3.0 Symfony form extensions
sonata-project/twig-extensions 2.4.0 2.4.0 Sonata twig extensions
Symfony packages
$ composer show --latest 'symfony/*'
Color legend:
- patch or minor release available - update recommended
- major release available - update possible
- up to date version
Direct dependencies required in composer.json:
symfony/cache v5.4.29 v6.4.0 Provides extended PSR-6, PSR-16 (and tags) implementations
symfony/config v5.4.26 v6.4.0 Helps you find, load, combine, autofill and validate configuration...
symfony/console v5.4.28 v6.4.1 Eases the creation of beautiful and testable command line interfaces
symfony/debug-bundle v5.4.26 v6.4.0 Provides a tight integration of the Symfony VarDumper component an...
symfony/dependency-injection v5.4.29 v6.4.1 Allows you to standardize and centralize the way objects are const...
symfony/error-handler v5.4.29 v6.4.0 Provides tools to manage errors and ease debugging PHP code
symfony/event-dispatcher v5.4.26 v6.4.0 Provides tools that allow your application components to communica...
symfony/form v5.4.29 v6.4.1 Allows to easily create, process and reuse HTML forms
symfony/framework-bundle v5.4.29 v6.4.1 Provides a tight integration between Symfony components and the Sy...
symfony/http-client v5.4.29 v6.4.0 Provides powerful methods to fetch HTTP resources synchronously or...
symfony/http-foundation v5.4.28 v6.4.0 Defines an object-oriented layer for the HTTP specification
symfony/http-kernel v5.4.29 v6.4.1 Provides a structured process for converting a Request into a Resp...
symfony/mailer v5.4.22 v6.4.0 Helps sending emails
symfony/mime v5.4.26 v6.4.0 Allows manipulating MIME messages
symfony/monolog-bundle v3.8.0 v3.10.0 Symfony MonologBundle
symfony/routing v5.4.26 v6.4.1 Maps an HTTP request to a set of configuration variables
symfony/security-bundle v5.4.31 v6.4.0 Provides a tight integration of the Security component into the Sy...
symfony/sendgrid-mailer v5.4.23 v6.4.0 Symfony Sendgrid Mailer Bridge
symfony/translation v5.4.24 v6.4.0 Provides tools to internationalize your application
symfony/twig-bundle v5.4.27 v6.4.0 Provides a tight integration of Twig into the Symfony full-stack f...
symfony/uid v5.4.21 v6.4.0 Provides an object-oriented API to generate and represent UIDs
symfony/validator v5.4.29 v6.4.0 Provides tools to validate values
symfony/web-profiler-bundle v5.4.26 v6.4.0 Provides a development tool that gives detailed information about ...
Transitive dependencies not required in composer.json:
symfony/asset v6.4.0 v6.4.0 Manages URL generation and versioning of web assets such as CSS st...
symfony/browser-kit v6.3.2 v6.4.0 Simulates the behavior of a web browser, allowing you to make requ...
symfony/cache-contracts v2.5.2 v3.4.0 Generic abstractions related to caching
symfony/css-selector v5.4.26 v6.4.0 Converts CSS selectors to XPath expressions
symfony/deprecation-contracts v3.4.0 v3.4.0 A generic function and convention to trigger deprecation notices
symfony/doctrine-bridge v5.4.31 v6.4.0 Provides integration for Doctrine with various Symfony components
symfony/dom-crawler v6.3.4 v6.4.0 Eases DOM navigation for HTML and XML documents
symfony/event-dispatcher-contracts v3.4.0 v3.4.0 Generic abstractions related to dispatching event
symfony/expression-language v6.4.0 v6.4.0 Provides an engine that can compile and evaluate expressions
symfony/filesystem v6.3.1 v6.4.0 Provides basic utilities for the filesystem
symfony/finder v5.4.27 v6.4.0 Finds files and directories via an intuitive fluent interface
symfony/http-client-contracts v2.5.2 v3.4.0 Generic abstractions related to HTTP clients
symfony/intl v6.3.2 v6.4.0 Provides access to the localization data of the ICU library
symfony/monolog-bridge v5.4.22 v6.4.0 Provides integration for Monolog with various Symfony components
symfony/options-resolver v6.4.0 v6.4.0 Provides an improved replacement for the array_replace PHP function
symfony/password-hasher v6.4.0 v6.4.0 Provides password hashing utilities
symfony/polyfill-ctype v1.28.0 v1.28.0 Symfony polyfill for ctype functions
symfony/polyfill-intl-grapheme v1.28.0 v1.28.0 Symfony polyfill for intl's grapheme_* functions
symfony/polyfill-intl-icu v1.28.0 v1.28.0 Symfony polyfill for intl's ICU-related data and classes
symfony/polyfill-intl-idn v1.28.0 v1.28.0 Symfony polyfill for intl's idn_to_ascii and idn_to_utf8 functions
symfony/polyfill-intl-normalizer v1.28.0 v1.28.0 Symfony polyfill for intl's Normalizer class and related functions
symfony/polyfill-mbstring v1.28.0 v1.28.0 Symfony polyfill for the Mbstring extension
symfony/polyfill-php72 v1.28.0 v1.28.0 Symfony polyfill backporting some PHP 7.2+ features to lower PHP v...
symfony/polyfill-php73 v1.28.0 v1.28.0 Symfony polyfill backporting some PHP 7.3+ features to lower PHP v...
symfony/polyfill-php80 v1.28.0 v1.28.0 Symfony polyfill backporting some PHP 8.0+ features to lower PHP v...
symfony/polyfill-php81 v1.28.0 v1.28.0 Symfony polyfill backporting some PHP 8.1+ features to lower PHP v...
symfony/polyfill-uuid v1.28.0 v1.28.0 Symfony polyfill for uuid functions
symfony/process v6.3.4 v6.4.0 Executes commands in sub-processes
symfony/property-access v6.4.0 v6.4.0 Provides functions to read and write from/to an object or array us...
symfony/property-info v6.3.9 v6.4.0 Extracts information about PHP class' properties using metadata of...
symfony/security-acl v3.3.3 v3.3.3 Symfony Security Component - ACL (Access Control List)
symfony/security-core v5.4.30 v6.4.0 Symfony Security Component - Core Library
symfony/security-csrf v6.4.0 v6.4.0 Symfony Security Component - CSRF Library
symfony/security-guard v5.4.27 v5.4.27 Symfony Security Component - Guard
symfony/security-http v5.4.31 v6.4.0 Symfony Security Component - HTTP Integration
symfony/serializer v6.3.10 v6.4.1 Handles serializing and deserializing data structures, including o...
symfony/service-contracts v2.5.2 v3.4.0 Generic abstractions related to writing services
symfony/stopwatch v6.3.0 v6.4.0 Provides a way to profile code
symfony/string v6.4.0 v6.4.0 Provides an object-oriented API to strings and deals with bytes, U...
symfony/translation-contracts v2.5.2 v3.4.0 Generic abstractions related to translation
symfony/twig-bridge v5.4.31 v6.4.0 Provides integration for Twig with various Symfony components
symfony/var-dumper v6.3.6 v6.4.0 Provides mechanisms for walking through any arbitrary PHP variable
symfony/var-exporter v6.3.6 v6.4.1 Allows exporting any serializable PHP data structure to plain PHP ...
symfony/yaml v5.4.23 v6.4.0 Loads and dumps YAML files
PHP version
$ php -v
PHP 8.1.24 (cli) (built: Oct 12 2023 09:19:15) (NTS)
Copyright (c) The PHP Group
Zend Engine v4.1.24, Copyright (c) Zend Technologies
with Xdebug v3.1.4, Copyright (c) 2002-2022, by Derick Rethans
Subject
It seems that latest sonata-project/admin-bundle is not working well with symfony/security-http:v5.3.31 relased at Nov 10.
It works well when fixing symfony/security-http verison to 5.3.30.
Therefore this issue prevents one from applying symfony/security-http security patch released at symfony/security-http:v5.3.31.
Steps to reproduce
- Execute composer update --with-dependencies sonata-project/admin-bundle
- Comfirm that symfony/security-http version is 5.4.31
- Try to create new record through sonata admin
Expected results
No csrf token error when creating record.
Actual results
Closed in favor of #8015 (comment). There is no need for duplicates issues.
Accutually this is not a duplication. This is not same issue since symfony/security-http@v5.4.31 was released in Nov 10, which is quite after #8015 creation.
Isn't there something to be changed in sonata-project/admin-bundler side to keep compatible with symfony/security-http?
Thanks.
Accutually this is not a duplication. This is not same issue since symfony/security-http@v5.4.31 was released in Nov 10, which is quite after #8015 creation.
If it wasn't the same, you had no reason to re-post your issue there.
Moreover it's the same topic, and you don't really know the root cause ; how can you be sure it's not the same reason ?
There is no need to have one issue per symfony version.
Isn't there something to be changed in sonata-project/admin-bundler side to keep compatible with symfony/security-http?
If there is something to change, that mean Symfony made a BC break/mistake.
Then it's a symfony issue. Did you opened an issue on there side ?
If it wasn't the same, you had no reason to re-post your issue there.
Sorry, this is totally my mistake. First I've posted at #8015, but after that I came to think that that was a different issue and then I created a new issue. I shoud have deleted the post I had done at #8015.
If there is something to change, that mean Symfony made a BC break/mistake.
Totally understood. I'll open an issue at symfony side.
Thanks for you time.