handle csrf token when submitting embedded forms

Question

Using Symfony2.3.4

In my project I have the following classes: Services, Transport, Meals and Lodging.
I embedded the three latter inside Services.

I'm working on Services' new.html.twig view with the embedded forms in it and I got it to show all three entities' forms OK. There's just one detail I'm not comfortable with:

Here's the code as it is now:

////ServicesController.php
public function newAction(Request $request, $id_person, $id_edition) {
        $entity = new Services();

        $meals = new Meals();
        $lodging = new Lodging();
        $transport = new Transport();
        $transport2 = new Transport();
        $entity->addLodging($lodging);
        $entity->addTransport($transport);
        $entity->addTransport($transport2);
        $entity->addMeals($meals);

        $form = $this->createCreateForm($entity);
        $form->bind($request);

PAUSE: the last line of code is the one I need some advice about: at first I put it because of what I read here but if I do it that way I get the The CSRF token is invalid. Please try to resubmit the form. error and I took it out and it fixed, which is the right way?, should I had done something else instead?, any insights about it...

//continues...
        return $this->render('ServicesBundle:Services:new.html.twig', array(
                    'form' => $form->createView(),
                    'id_person' => $id_person,
                    'id_edition' => $id_edition));
    }

and the view:

{# Services' new.html.twig #}
{% extends 'AdminBundle:Default:admin.html.twig' %}

{% block content -%}

<div class="row-fluid">
    <h2 class="new-tag">Services</h2>
    <form class="form-horizontal sf_admin_form_area" 
          action="{{ path('services_create',{'id_peson':person.id}) }}" 
          method="post" {{ form_enctype(form) }}>
          {{form_errors(form)}}

PAUSE:the last line wasn't there at first, I put it to see what was triggering the next IF

{% if form_errors(form) != '' %}
   <div class="alert alert-error">
       <i class="glyphicon-ban-circle"></i>
       <h3>General "There's an error somewhere..." error message</h3>
   </div>
{% endif %}
<h3>Lodging</h3>
{%for lo in form.lodging%}
   {{ form_widget(lo) }}
{%endfor%}

<h3>Meals</h3>        
{%for me in form.meals%}
    {{ form_widget(me) }}
{%endfor%}

{%if person.type != 'ee'%}
   <h3>Transport</h3>
   {%for tr in form.transport%}
       {{ form_widget(tr) }}
   {%endfor%}        
{%endif%}

{{form_row(form._token)}}{#not sure about this guy, 
got the error with it and without it#}

<div class="form-actions">
    <button class="btn btn-primary">
        <i class="glyphicon-ok"></i> {{'Save' | trans}}</button>
    <a class="btn" href="{{ path('student',{'edition_id':id_edition}) }}">
        <i class="glyphicon-ban-circle"></i> {{'Cancel' | trans }}</a>
</div>
</form>
</div>
{% endblock %}

and finally the type's builder in case you need it

public function buildForm(FormBuilderInterface $builder, array $options) {
        $builder->add('lodging', 'collection', array(
            'type' => new LodgingType()));
        $builder->add('transport', 'collection', array(
            'type' => new TransportType()));
        $builder->add('meals', 'collection', array(
            'type' => new MealsType(),
            'allow_add' => true));
    }

Answer 1

Since you only get the message when adding $form->bind($request) I recommend you try the following:

if ('POST' === $request->getMethod()) {
    $form->bind($request);
    if ($form->isValid()) {
        // Do something
    }
}

You only have to bind the request to the form on submit, as only then it contains data. This way you can keep the CSRF-token. Of course you also have to keep {{ form_widget(form._token) }} in your view.