Commit 9d155a2a authored by catch's avatar catch
Browse files

Issue #2826391 by Wim Leers: CsrfAccessCheck should have proper error feedback...

Issue #2826391 by Wim Leers: CsrfAccessCheck should have proper error feedback for invalid/missing CSRF token query argument just like CsrfRequestHeaderAccessCheck
parent 11c68ce2
...@@ -58,7 +58,7 @@ public function access(Route $route, Request $request, RouteMatchInterface $rout ...@@ -58,7 +58,7 @@ public function access(Route $route, Request $request, RouteMatchInterface $rout
$result = AccessResult::allowed(); $result = AccessResult::allowed();
} }
else { else {
$result = AccessResult::forbidden(); $result = AccessResult::forbidden($request->query->has('token') ? "'csrf_token' URL query argument is invalid." : "'csrf_token' URL query argument is missing.");
} }
// Not cacheable because the CSRF token is highly dynamic. // Not cacheable because the CSRF token is highly dynamic.
return $result->setCacheMaxAge(0); return $result->setCacheMaxAge(0);
......
...@@ -65,9 +65,9 @@ public function testAccessTokenPass() { ...@@ -65,9 +65,9 @@ public function testAccessTokenPass() {
} }
/** /**
* Tests the access() method with an invalid token. * @covers ::access
*/ */
public function testAccessTokenFail() { public function testCsrfTokenInvalid() {
$this->csrfToken->expects($this->once()) $this->csrfToken->expects($this->once())
->method('validate') ->method('validate')
->with('test_query', 'test-path') ->with('test_query', 'test-path')
...@@ -80,7 +80,25 @@ public function testAccessTokenFail() { ...@@ -80,7 +80,25 @@ public function testAccessTokenFail() {
$route = new Route('/test-path', array(), array('_csrf_token' => 'TRUE')); $route = new Route('/test-path', array(), array('_csrf_token' => 'TRUE'));
$request = Request::create('/test-path?token=test_query'); $request = Request::create('/test-path?token=test_query');
$this->assertEquals(AccessResult::forbidden()->setCacheMaxAge(0), $this->accessCheck->access($route, $request, $this->routeMatch)); $this->assertEquals(AccessResult::forbidden("'csrf_token' URL query argument is invalid.")->setCacheMaxAge(0), $this->accessCheck->access($route, $request, $this->routeMatch));
}
/**
* @covers ::access
*/
public function testCsrfTokenMissing() {
$this->csrfToken->expects($this->once())
->method('validate')
->with('', 'test-path')
->will($this->returnValue(FALSE));
$this->routeMatch->expects($this->once())
->method('getRawParameters')
->will($this->returnValue(array()));
$route = new Route('/test-path', array(), array('_csrf_token' => 'TRUE'));
$request = Request::create('/test-path');
$this->assertEquals(AccessResult::forbidden("'csrf_token' URL query argument is missing.")->setCacheMaxAge(0), $this->accessCheck->access($route, $request, $this->routeMatch));
} }
} }
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment