Unverified Commit ef9a9b9c authored by alexpott's avatar alexpott
Browse files

Issue #3111506 by andypost, Gábor Hojtsy: Properly deprecate _access_rest_csrf route requirement

parent cee0a334
......@@ -53,9 +53,12 @@ public function applies(Route $route) {
// REST requirement.
$applicable_requirements = [
'_csrf_request_header_token',
// @todo Remove _access_rest_csrf in Drupal 9.0.0.
// @todo Remove _access_rest_csrf in Drupal 10.0.0 https://www.drupal.org/node/3115308
'_access_rest_csrf',
];
if ($route->hasRequirement('_access_rest_csrf')) {
@trigger_error('Route requirement _access_rest_csrf is deprecated in drupal:8.2.0 and is removed in drupal:10.0.0. Use _csrf_request_header_token instead. See https://www.drupal.org/node/2772399', E_USER_DEPRECATED);
}
$requirement_keys = array_keys($requirements);
if (array_intersect($applicable_requirements, $requirement_keys)) {
......
......@@ -9,7 +9,7 @@ csrf_test.protected:
# Tests deprecated _access_rest_csrf protection.
# This originally was in the REST module but now is supported in core/lib.
# @see https://www.drupal.org/node/2753681
# @todo Remove this test route in Drupal 9.0.0.
# @todo Remove the route in drupal:10.0.0 https://www.drupal.org/node/3115308
csrf_test.deprecated.protected:
path: csrf/deprecated/protected
defaults:
......@@ -17,7 +17,7 @@ csrf_test.deprecated.protected:
requirements:
_access_rest_csrf: 'TRUE'
_method: 'POST'
# @todo This route can be removed in 8.3.
# @todo Remove this route in drupal:10.0.0 https://www.drupal.org/node/3115308
# @see \Drupal\Core\Access\CsrfRequestHeaderAccessCheck::access()
csrf_test.deprecated.csrftoken:
path: '/deprecated/session/token'
......
......@@ -12,7 +12,7 @@
*
* This controller tests using the deprecated CSRF token key 'rest'.
*
* @todo This class can be removed in 8.3.
* @todo Remove this before drupal:10.0.0 https://www.drupal.org/node/3115308
*
* @see \Drupal\Core\Access\CsrfRequestHeaderAccessCheck::access()
*/
......
......@@ -29,6 +29,9 @@ class CsrfRequestHeaderTest extends BrowserTestBase {
*
* This checks one route that uses _csrf_request_header_token and one that
* uses the deprecated _access_rest_csrf.
*
* @group legacy
* @expectedDeprecation Route requirement _access_rest_csrf is deprecated in drupal:8.2.0 and is removed in drupal:10.0.0. Use _csrf_request_header_token instead. See https://www.drupal.org/node/2772399
*/
public function testRouteAccess() {
$client = $this->getHttpClient();
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment