Commit 8abed813 authored by catch's avatar catch

Issue #2036351 by damiankloip, dawehner, Xano: Convert CSRF tokens to a...

Issue #2036351 by damiankloip, dawehner, Xano:  Convert CSRF tokens to a service  is broken for skip_anonymous().
parent 129031e4
......@@ -84,9 +84,9 @@ public function get($value = '') {
* is TRUE, the return value will always be TRUE for anonymous users.
*/
public function validate($token, $value = '', $skip_anonymous = FALSE) {
$user = $this->request->attributes->get('account');
$user = $this->request->attributes->get('_account');
return ($skip_anonymous && $user->id() == 0) || ($token == $this->get($value));
return ($skip_anonymous && $user->isAnonymous()) || ($token == $this->get($value));
}
}
......@@ -69,8 +69,30 @@ public function testValidate() {
$this->assertTrue($this->generator->validate($token));
$this->assertFalse($this->generator->validate($token, 'foo'));
$token = $this->generator->get('bar');
$this->assertTrue($this->generator->validate($token, 'bar'));
// Check the skip_anonymous option with both a anonymous user and a real
// user.
$account = $this->getMock('Drupal\Core\Session\AccountInterface');
$account->expects($this->once())
->method('isAnonymous')
->will($this->returnValue(TRUE));
$request = new Request();
$request->attributes->set('_account', $account);
$this->generator->setRequest($request);
$this->assertTrue($this->generator->validate($token, 'foo', TRUE));
$account = $this->getMock('Drupal\Core\Session\AccountInterface');
$account->expects($this->once())
->method('isAnonymous')
->will($this->returnValue(FALSE));
$request = new Request();
$request->attributes->set('_account', $account);
$this->generator->setRequest($request);
$this->assertFalse($this->generator->validate($token, 'foo', TRUE));
}
}
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment