diff --git a/forms/Form.php b/forms/Form.php index a01601705..2ff080542 100755 --- a/forms/Form.php +++ b/forms/Form.php @@ -1165,14 +1165,25 @@ class Form extends RequestHandler { } /** - * Disable the requirement of a security token in the Form. This security protects + * Disable the requirement of a security token on this form instance. This security protects * against CSRF attacks, but you should disable this if you don't want to tie * a form to a session - eg a search form. + * + * Check for token state with {@link getSecurityToken()} and {@link SecurityToken->isEnabled()}. */ function disableSecurityToken() { $this->securityToken = new NullSecurityToken(); } + /** + * Enable {@link SecurityToken} protection for this form instance. + * + * Check for token state with {@link getSecurityToken()} and {@link SecurityToken->isEnabled()}. + */ + function enableSecurityToken() { + $this->securityToken = new SecurityToken(); + } + /** * Disable security tokens for every form. * Note that this doesn't apply to {@link SecurityToken} diff --git a/tests/forms/FormTest.php b/tests/forms/FormTest.php index b5e9b30fc..e45aba6e4 100755 --- a/tests/forms/FormTest.php +++ b/tests/forms/FormTest.php @@ -305,6 +305,26 @@ class FormTest extends FunctionalTest { $this->assertEquals(200, $response->getStatusCode(), 'Submission suceeds with security token'); } + function testEnableSecurityToken() { + SecurityToken::disable(); + $form = $this->getStubForm(); + $this->assertFalse($form->getSecurityToken()->isEnabled()); + $form->enableSecurityToken(); + $this->assertTrue($form->getSecurityToken()->isEnabled()); + + SecurityToken::disable(); // restore original + } + + function testDisableSecurityToken() { + SecurityToken::enable(); + $form = $this->getStubForm(); + $this->assertTrue($form->getSecurityToken()->isEnabled()); + $form->disableSecurityToken(); + $this->assertFalse($form->getSecurityToken()->isEnabled()); + + SecurityToken::disable(); // restore original + } + protected function getStubForm() { return new Form( new Controller(),