[Form] CSRF fields are not included in the children of a FormView anymore if the view is not the root

src/Symfony/Bundle/FrameworkBundle/Resources/views/Form/csrf_widget.html.php

@@ -1,8 +0,0 @@
-<?php if (!$form->hasParent() || !$form->getParent()->hasParent()): ?>
-<input type="hidden"
-    <?php echo $view['form']->attributes() ?>
-    name="<?php echo $view->escape($name) ?>"
-    value="<?php echo $view->escape($value) ?>"
-    <?php if ($read_only): ?>disabled="disabled"<?php endif ?>
-/>
-<?php endif ?>

src/Symfony/Bundle/TwigBundle/Resources/views/Form/div_layout.html.twig

@@ -74,13 +74,6 @@
     {{ block('field_widget') }}
 {% endblock hidden_widget %}
 
-{% block csrf_widget %}
-    {% if not form.hasParent or not form.getParent.hasParent %}
-        {% set type = type|default('hidden') %}
-        {{ block('field_widget') }}
-    {% endif %}
-{% endblock csrf_widget %}
-
 {% block hidden_row %}
     {{ form_widget(form) }}
 {% endblock hidden_row %}

src/Symfony/Component/Form/Extension/Csrf/Type/FormTypeCsrfExtension.php

@@ -13,6 +13,8 @@ namespace Symfony\Component\Form\Extension\Csrf\Type;
 
 use Symfony\Component\Form\AbstractTypeExtension;
 use Symfony\Component\Form\FormBuilder;
+use Symfony\Component\Form\FormView;
+use Symfony\Component\Form\FormInterface;
 
 class FormTypeCsrfExtension extends AbstractTypeExtension
 {
@@ -34,7 +36,19 @@ class FormTypeCsrfExtension extends AbstractTypeExtension
                 $csrfOptions['csrf_provider'] = $options['csrf_provider'];
             }
 
-            $builder->add($options['csrf_field_name'], 'csrf', $csrfOptions);
+            $builder->add($options['csrf_field_name'], 'csrf', $csrfOptions)
+                ->setAttribute('csrf_field_name', $options['csrf_field_name']);
+        }
+    }
+
+    public function buildViewBottomUp(FormView $view, FormInterface $form)
+    {
+        if ($view->hasParent() && $form->hasAttribute('csrf_field_name')) {
+            $name = $form->getAttribute('csrf_field_name');
+
+            if (isset($view[$name])) {
+                unset($view[$name]);
+            }
         }
     }
 

tests/Symfony/Tests/Component/Form/AbstractLayoutTest.php

@@ -480,19 +480,6 @@ abstract class AbstractLayoutTest extends \PHPUnit_Framework_TestCase
         );
     }
 
-    public function testCsrfWithNonRootParent()
-    {
-        $form = $this->factory->createNamed('csrf', 'na&me', null, array(
-            'property_path' => 'name',
-        ));
-        $form->setParent($this->factory->create('form'));
-        $form->getParent()->setParent($this->factory->create('form'));
-
-        $html = $this->renderWidget($form->createView());
-
-        $this->assertEquals('', trim($html));
-    }
-
     public function testDateTime()
     {
         $form = $this->factory->createNamed('datetime', 'na&me', '2011-02-03 04:05:06', array(

tests/Symfony/Tests/Component/Form/Extension/Csrf/Type/FormTypeCsrfExtensionTest.php

@@ -30,4 +30,24 @@ class FormTypeCsrfExtensionTest extends TypeTestCase
 
         $this->assertEquals(0, count($form));
     }
+
+    public function testCsrfTokenIsOnlyIncludedInRootView()
+    {
+        $view =
+            $this->factory->createBuilder('form', null, array(
+                'csrf_field_name' => 'csrf',
+            ))
+            ->add('notCsrf', 'text')
+            ->add(
+                $this->factory->createNamedBuilder('form', 'child', null, array(
+                    'csrf_field_name' => 'csrf',
+                ))
+                ->add('notCsrf', 'text')
+            )
+            ->getForm()
+            ->createView();
+
+        $this->assertEquals(array('csrf', 'notCsrf', 'child'), array_keys(iterator_to_array($view)));
+        $this->assertEquals(array('notCsrf'), array_keys(iterator_to_array($view['child'])));
+    }
 }