Issue #3077391 by mr.baileys, JParkinson1991, joegraduate, michaelmol: CSRF Token Mismatch

78293b4c · Ivo Van Geertruyen · Michael Mol · 098dcd4f · 78293b4c · 78293b4c
Commit 78293b4c authored 5 years ago by Ivo Van Geertruyen Committed by Michael Mol 5 years ago
--- a/src/Controller/CoffeeController.php
+++ b/src/Controller/CoffeeController.php
@@ -8,6 +8,7 @@ use Drupal\Core\Controller\ControllerBase;
 use Drupal\Core\Menu\LocalTaskManagerInterface;
 use Drupal\Core\Menu\MenuLinkTreeInterface;
 use Drupal\Core\Menu\MenuTreeParameters;
+use Drupal\Core\Routing\UrlGeneratorInterface;
 use Drupal\Core\Url;
 use Symfony\Component\DependencyInjection\ContainerInterface;
 use Symfony\Component\HttpFoundation\JsonResponse;
@@ -57,11 +58,12 @@ class CoffeeController extends ControllerBase {
   * @param \Drupal\Core\Access\AccessManagerInterface $access_manager
   *   The access manager service.
   */
-  public function __construct(ConfigFactoryInterface $config_factory, MenuLinkTreeInterface $menu_link_tree, LocalTaskManagerInterface $local_task_manager, AccessManagerInterface $access_manager) {
+  public function __construct(ConfigFactoryInterface $config_factory, MenuLinkTreeInterface $menu_link_tree, LocalTaskManagerInterface $local_task_manager, AccessManagerInterface $access_manager, UrlGeneratorInterface $url_generator) {
    $this->config = $config_factory->get('coffee.configuration');
    $this->menuLinkTree = $menu_link_tree;
    $this->localTaskManager = $local_task_manager;
    $this->accessManager = $access_manager;
+    $this->urlGenerator = $url_generator;
  }

  /**
@@ -72,7 +74,8 @@ class CoffeeController extends ControllerBase {
      $container->get('config.factory'),
      $container->get('menu.link_tree'),
      $container->get('plugin.manager.menu.local_task'),
-      $container->get('access_manager')
+      $container->get('access_manager'),
+      $container->get('coffee.url_generator')
    );
  }

@@ -93,7 +96,7 @@ class CoffeeController extends ControllerBase {
        $link = $tree_element->link;

        $output[$link->getRouteName()] = [
-          'value' => $link->getUrlObject()->toString(),
+          'value' => $link->getUrlObject()->setUrlGenerator($this->urlGenerator)->toString(),
          'label' => $link->getTitle(),
          'command' => $commands_group,
        ];
@@ -103,7 +106,7 @@ class CoffeeController extends ControllerBase {
        foreach ($tasks as $route_name => $task) {
          if (empty($output[$route_name])) {
            $output[$route_name] = [
-              'value' => $task['url']->toString(),
+              'value' => $task['url']->setUrlGenerator($this->urlGenerator)->toString(),
              'label' => $link->getTitle() . ' - ' . $task['title'],
              'command' => NULL,
            ];

--- a/tests/modules/coffee_test/coffee_test.info.yml
+++ b/tests/modules/coffee_test/coffee_test.info.yml
@@ -3,3 +3,5 @@ type: module
 description: 'Support module for coffee testing.'
 package: Testing
 core: 8.x
+dependencies:
+  - drupal:node
--- a/tests/modules/coffee_test/coffee_test.routing.yml
+++ b/tests/modules/coffee_test/coffee_test.routing.yml
+coffee_test.csrf:
+  path: '/coffee-test-csrf'
+  defaults:
+    _controller: '\Drupal\coffee_test\Controller\CoffeeTestController::csrf'
+  requirements:
+    _access: 'TRUE'
+    _csrf_token: 'TRUE'
--- a/tests/modules/coffee_test/src/Controller/CoffeeTestController.php
+++ b/tests/modules/coffee_test/src/Controller/CoffeeTestController.php
+<?php
+
+namespace Drupal\coffee_test\Controller;
+
+use Drupal\Core\Controller\ControllerBase;
+use Drupal\Core\Render\HtmlResponse;
+
+class CoffeeTestController extends ControllerBase {
+
+  public function csrf() {
+    return new HtmlResponse('ok');
+  }
+}
--- a/tests/src/Functional/CoffeeTest.php
+++ b/tests/src/Functional/CoffeeTest.php
@@ -2,7 +2,10 @@

 namespace Drupal\Tests\coffee\Functional;

+use Drupal\menu_link_content\Entity\MenuLinkContent;
+use Drupal\system\Entity\Menu;
 use Drupal\Tests\BrowserTestBase;
+use PHPUnit\Util\Json;

 /**
 * Tests Coffee module functionality.
@@ -16,7 +19,7 @@ class CoffeeTest extends BrowserTestBase {
   *
   * @var array
   */
-  public static $modules = ['coffee'];
+  public static $modules = ['coffee', 'coffee_test', 'menu_link_content'];

  /**
   * The user for tests.
@@ -154,4 +157,39 @@ class CoffeeTest extends BrowserTestBase {
    $this->assertSession()->elementExists('xpath', $tab_xpath);
  }

+  /**
+   * Tests that CSRF tokens are correctly handled.
+   */
+  public function testCoffeeCsrf() {
+    $account = $this->drupalCreateUser(['access coffee', 'access administration pages']);
+    $this->drupalLogin($account);
+
+    // Set up a new menu with one link.
+    $menu = Menu::create([
+      'id' => 'coffee',
+      'label' => 'Coffee',
+      'description' => 'Menu for testing Coffee.',
+    ]);
+    $menu->save();
+
+    $menu_link = MenuLinkContent::create([
+      'title' => 'Coffee test',
+      'provider' => 'menu_link_content',
+      'menu_name' => 'coffee',
+      'link' => ['uri' => 'internal:/coffee-test-csrf'],
+    ]);
+    $menu_link->save();
+    $this->config('coffee.configuration')->set('coffee_menus', ['coffee'])->save();
+
+    // Get the link with CSRF token.
+    $result = $this->drupalGet('/admin/coffee/get-data');
+    $result = json_decode($result);
+
+    // For some reason, drupalGet('path?token=foo') does not work, and
+    // we have to explicitly set the token in the query options.
+    $token = substr($result[0]->value, strpos($result[0]->value, 'token=') + 6);
+
+    $this->drupalGet('/coffee-test-csrf', ['query' => ['token' => $token]]);
+    $this->assertResponse(200);
+  }
 }