Hello to everyone, Sorry if i set wrong form, could not find Form section and volt is also something different.
we are trying to update to latest version of phalcon, and got problem with csrf. Actually not with csrf, with form that shows it.
Scenario:
- On first load everything works fine.
- Validation failed.
- Form generates old value in form.
- And every request is using first value
Code:
//Form
$csrf = new Hidden('csrf');
$csrf->addValidator(new Identical(array(
'value' => $this->security->getSessionToken(),
'message' => 'CSRF validation failed.',
)));
$this->add($csrf);
//controller
if ($form->isValid($this->request->getPost())) { .... }
//view
{% set security_token = security.getToken() %}
{{ form.render(name, ['value': security_token]) }}
I see in code that actually security_token is changing on each request. But value is ignored. As i understand from framework code https://github.com/phalcon/cphalcon/blob/master/phalcon/forms/element.zep It uses POST values on top of attributes from form, so POST overrides this value. (Actually if reset POST value for csrf, everything works )
I understand i can use Tag and generate manually this field, but i see everywhere such examples, may be i missed something? Also we have quite a lot of forms, so it will require time to update everything, so i hope someone here can help me.
Thank you.