[FrameworkBundle] Don't auto-register form/csrf when the corresponding components are not installed

nicolas-grekas · nicolas-grekas · commit 15df69b03ab9 · 2024-11-20T11:29:07.000+01:00
diff --git a/DependencyInjection/Configuration.php b/DependencyInjection/Configuration.php
@@ -211,7 +211,7 @@ private function addCsrfSection(ArrayNodeDefinition $rootNode): void
                     ->addDefaultsIfNotSet()
                     ->fixXmlConfig('stateless_token_id')
                     ->children()
-                        // defaults to framework.csrf_protection.stateless_token_ids || framework.session.enabled && !class_exists(FullStack::class) && interface_exists(CsrfTokenManagerInterface::class)
+                        // defaults to (framework.csrf_protection.stateless_token_ids || framework.session.enabled) && !class_exists(FullStack::class) && interface_exists(CsrfTokenManagerInterface::class)
                         ->scalarNode('enabled')->defaultNull()->end()
                         ->arrayNode('stateless_token_ids')
                             ->scalarPrototype()->end()
@@ -237,8 +237,12 @@ private function addFormSection(ArrayNodeDefinition $rootNode, callable $enableI
             ->children()
                 ->arrayNode('form')
                     ->info('Form configuration')
-                    ->{$enableIfStandalone('symfony/form', Form::class)}()
+                    ->treatFalseLike(['enabled' => false])
+                    ->treatTrueLike(['enabled' => true])
+                    ->treatNullLike(['enabled' => true])
+                    ->addDefaultsIfNotSet()
                     ->children()
+                        ->scalarNode('enabled')->defaultNull()->end() // defaults to !class_exists(FullStack::class) && class_exists(Form::class)
                         ->arrayNode('csrf_protection')
                             ->treatFalseLike(['enabled' => false])
                             ->treatTrueLike(['enabled' => true])
diff --git a/DependencyInjection/FrameworkExtension.php b/DependencyInjection/FrameworkExtension.php
@@ -278,6 +278,19 @@ public function load(array $configs, ContainerBuilder $container): void
         $this->readConfigEnabled('profiler', $container, $config['profiler']);
         $this->readConfigEnabled('workflows', $container, $config['workflows']);
 
+        // csrf depends on session or stateless token ids being registered
+        if (null === $config['csrf_protection']['enabled']) {
+            $this->writeConfigEnabled('csrf_protection', ($config['csrf_protection']['stateless_token_ids'] || $this->readConfigEnabled('session', $container, $config['session'])) && !class_exists(FullStack::class) && ContainerBuilder::willBeAvailable('symfony/security-csrf', CsrfTokenManagerInterface::class, ['symfony/framework-bundle']), $config['csrf_protection']);
+        }
+
+        if (null === $config['form']['enabled']) {
+            $this->writeConfigEnabled('form', !class_exists(FullStack::class) && ContainerBuilder::willBeAvailable('symfony/form', Form::class, ['symfony/framework-bundle']), $config['form']);
+        }
+
+        if (null === $config['form']['csrf_protection']['enabled']) {
+            $this->writeConfigEnabled('form.csrf_protection', $config['csrf_protection']['enabled'], $config['form']['csrf_protection']);
+        }
+
         // A translator must always be registered (as support is included by
         // default in the Form and Validator component). If disabled, an identity
         // translator will be used and everything will still work as expected.
@@ -466,10 +479,6 @@ public function load(array $configs, ContainerBuilder $container): void
             $container->removeDefinition('test.session.listener');
         }
 
-        // csrf depends on session being registered
-        if (null === $config['csrf_protection']['enabled']) {
-            $this->writeConfigEnabled('csrf_protection', $config['csrf_protection']['stateless_token_ids'] || $this->readConfigEnabled('session', $container, $config['session']) && !class_exists(FullStack::class) && ContainerBuilder::willBeAvailable('symfony/security-csrf', CsrfTokenManagerInterface::class, ['symfony/framework-bundle']), $config['csrf_protection']);
-        }
         $this->registerSecurityCsrfConfiguration($config['csrf_protection'], $container, $loader);
 
         // form depends on csrf being registered
@@ -754,10 +763,6 @@ private function registerFormConfiguration(array $config, ContainerBuilder $cont
     {
         $loader->load('form.php');
 
-        if (null === $config['form']['csrf_protection']['enabled']) {
-            $this->writeConfigEnabled('form.csrf_protection', $config['csrf_protection']['enabled'], $config['form']['csrf_protection']);
-        }
-
         if ($this->readConfigEnabled('form.csrf_protection', $container, $config['form']['csrf_protection'])) {
             if (!$container->hasDefinition('security.csrf.token_generator')) {
                 throw new \LogicException('To use form CSRF protection, "framework.csrf_protection" must be enabled.');
diff --git a/Tests/DependencyInjection/Fixtures/php/form_csrf_disabled.php b/Tests/DependencyInjection/Fixtures/php/form_csrf_disabled.php
@@ -4,6 +4,7 @@
     'annotations' => false,
     'csrf_protection' => false,
     'form' => [
+        'enabled' => true,
         'csrf_protection' => true,
     ],
     'http_method_override' => false,
diff --git a/Tests/DependencyInjection/Fixtures/php/form_no_csrf.php b/Tests/DependencyInjection/Fixtures/php/form_no_csrf.php
@@ -6,6 +6,7 @@
     'handle_all_throwables' => true,
     'php_errors' => ['log' => true],
     'form' => [
+        'enabled' => true,
         'csrf_protection' => [
             'enabled' => false,
         ],
diff --git a/Tests/DependencyInjection/Fixtures/php/full.php b/Tests/DependencyInjection/Fixtures/php/full.php
@@ -6,6 +6,7 @@
     'enabled_locales' => ['fr', 'en'],
     'csrf_protection' => true,
     'form' => [
+        'enabled' => true,
         'csrf_protection' => [
             'field_name' => '_csrf',
         ],
diff --git a/Tests/DependencyInjection/Fixtures/xml/full.xml b/Tests/DependencyInjection/Fixtures/xml/full.xml
@@ -10,7 +10,7 @@
         <framework:enabled-locale>fr</framework:enabled-locale>
         <framework:enabled-locale>en</framework:enabled-locale>
         <framework:csrf-protection />
-        <framework:form>
+        <framework:form enabled="true">
             <framework:csrf-protection field-name="_csrf"/>
         </framework:form>
         <framework:esi enabled="true" />
diff --git a/Tests/DependencyInjection/Fixtures/yml/form_csrf_disabled.yml b/Tests/DependencyInjection/Fixtures/yml/form_csrf_disabled.yml
@@ -2,6 +2,7 @@ framework:
     annotations: false
     csrf_protection: false
     form:
+        enabled: true
         csrf_protection: true
     http_method_override: false
     handle_all_throwables: true
diff --git a/Tests/DependencyInjection/Fixtures/yml/form_no_csrf.yml b/Tests/DependencyInjection/Fixtures/yml/form_no_csrf.yml
@@ -5,5 +5,6 @@ framework:
     php_errors:
         log: true
     form:
+        enabled: true
         csrf_protection:
             enabled: false
diff --git a/Tests/DependencyInjection/Fixtures/yml/full.yml b/Tests/DependencyInjection/Fixtures/yml/full.yml
@@ -4,6 +4,7 @@ framework:
     enabled_locales: ['fr', 'en']
     csrf_protection: true
     form:
+        enabled: true
         csrf_protection:
             field_name: _csrf
     http_method_override: false
