Commit 9d155a2a authored by catch's avatar catch
Browse files

Issue #2826391 by Wim Leers: CsrfAccessCheck should have proper error feedback...

Issue #2826391 by Wim Leers: CsrfAccessCheck should have proper error feedback for invalid/missing CSRF token query argument just like CsrfRequestHeaderAccessCheck
parent 11c68ce2
......@@ -58,7 +58,7 @@ public function access(Route $route, Request $request, RouteMatchInterface $rout
$result = AccessResult::allowed();
}
else {
$result = AccessResult::forbidden();
$result = AccessResult::forbidden($request->query->has('token') ? "'csrf_token' URL query argument is invalid." : "'csrf_token' URL query argument is missing.");
}
// Not cacheable because the CSRF token is highly dynamic.
return $result->setCacheMaxAge(0);
......
......@@ -65,9 +65,9 @@ public function testAccessTokenPass() {
}
/**
* Tests the access() method with an invalid token.
* @covers ::access
*/
public function testAccessTokenFail() {
public function testCsrfTokenInvalid() {
$this->csrfToken->expects($this->once())
->method('validate')
->with('test_query', 'test-path')
......@@ -80,7 +80,25 @@ public function testAccessTokenFail() {
$route = new Route('/test-path', array(), array('_csrf_token' => 'TRUE'));
$request = Request::create('/test-path?token=test_query');
$this->assertEquals(AccessResult::forbidden()->setCacheMaxAge(0), $this->accessCheck->access($route, $request, $this->routeMatch));
$this->assertEquals(AccessResult::forbidden("'csrf_token' URL query argument is invalid.")->setCacheMaxAge(0), $this->accessCheck->access($route, $request, $this->routeMatch));
}
/**
* @covers ::access
*/
public function testCsrfTokenMissing() {
$this->csrfToken->expects($this->once())
->method('validate')
->with('', 'test-path')
->will($this->returnValue(FALSE));
$this->routeMatch->expects($this->once())
->method('getRawParameters')
->will($this->returnValue(array()));
$route = new Route('/test-path', array(), array('_csrf_token' => 'TRUE'));
$request = Request::create('/test-path');
$this->assertEquals(AccessResult::forbidden("'csrf_token' URL query argument is missing.")->setCacheMaxAge(0), $this->accessCheck->access($route, $request, $this->routeMatch));
}
}
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment