Issue #2826391 by Wim Leers: CsrfAccessCheck should have proper error feedback...

Issue #2826391 by Wim Leers: CsrfAccessCheck should have proper error feedback for invalid/missing CSRF token query argument just like CsrfRequestHeaderAccessCheck

Issue #2826391 by Wim Leers: CsrfAccessCheck should have proper error feedback...
9d155a2a · catch · 11c68ce2 · 9d155a2a · 9d155a2a
Commit 9d155a2a authored Nov 18, 2016 by catch
--- a/core/lib/Drupal/Core/Access/CsrfAccessCheck.php
+++ b/core/lib/Drupal/Core/Access/CsrfAccessCheck.php
@@ -58,7 +58,7 @@ public function access(Route $route, Request $request, RouteMatchInterface $rout
      $result = AccessResult::allowed();
    }
    else {
-      $result = AccessResult::forbidden();
+      $result = AccessResult::forbidden($request->query->has('token') ? "'csrf_token' URL query argument is invalid." : "'csrf_token' URL query argument is missing.");
    }
    // Not cacheable because the CSRF token is highly dynamic.
    return $result->setCacheMaxAge(0);

--- a/core/tests/Drupal/Tests/Core/Access/CsrfAccessCheckTest.php
+++ b/core/tests/Drupal/Tests/Core/Access/CsrfAccessCheckTest.php
@@ -65,9 +65,9 @@ public function testAccessTokenPass() {
  }

  /**
-   * Tests the access() method with an invalid token.
+   * @covers ::access
   */
-  public function testAccessTokenFail() {
+  public function testCsrfTokenInvalid() {
    $this->csrfToken->expects($this->once())
      ->method('validate')
      ->with('test_query', 'test-path')
@@ -80,7 +80,25 @@ public function testAccessTokenFail() {
    $route = new Route('/test-path', array(), array('_csrf_token' => 'TRUE'));
    $request = Request::create('/test-path?token=test_query');

-    $this->assertEquals(AccessResult::forbidden()->setCacheMaxAge(0), $this->accessCheck->access($route, $request, $this->routeMatch));
+    $this->assertEquals(AccessResult::forbidden("'csrf_token' URL query argument is invalid.")->setCacheMaxAge(0), $this->accessCheck->access($route, $request, $this->routeMatch));
+  }
+
+  /**
+   * @covers ::access
+   */
+  public function testCsrfTokenMissing() {
+    $this->csrfToken->expects($this->once())
+      ->method('validate')
+      ->with('', 'test-path')
+      ->will($this->returnValue(FALSE));
+
+    $this->routeMatch->expects($this->once())
+      ->method('getRawParameters')
+      ->will($this->returnValue(array()));
+
+    $route = new Route('/test-path', array(), array('_csrf_token' => 'TRUE'));
+    $request = Request::create('/test-path');
+    $this->assertEquals(AccessResult::forbidden("'csrf_token' URL query argument is missing.")->setCacheMaxAge(0), $this->accessCheck->access($route, $request, $this->routeMatch));
  }

 }