Hi all,
I'm having some issues with csrf validation when updating existing entities.
I'm adding the field to the form with:
$csrf = new Hidden('csrf');
$csrf->addValidator(new Identical([
'value' => $this->security->getSessionToken(),
'message' => 'CSRF validation failed'
]));
$csrf->clear();And then in the volt template:
{{ form.render('csrf', ['value': security.getToken()]) }}
The problem occurs when I submit the form with a validation error (say missing a required field). The correct error message appears, but when I hit the submit button again, the CSRF now fails.
Checking the page source confirms that the CSRF on the form never changes which explains the error.
Strangely enough, this doesn't occur when using the same form but not passing it an existing entity (ie I'm creating a new one).
$form = new AccountForm();
vs
$form = new AccountForm($account, ['edit' => 1]);
The first one gets a fresh csrf when validation fails and the latter does not.
This is the check in the controller:
if ($this->request->isPost() && $form->isValid($this->request->getPost())) {
I'm at my wits' end at this point! I must be missing something but I don't get it. Why would the page csrf refresh in one case and not the other?
Any thoughts?
