Issue #3111506 by andypost, Gábor Hojtsy: Properly deprecate _access_rest_csrf route requirement

ef9a9b9c · alexpott · cee0a334 · ef9a9b9c · ef9a9b9c · ef9a9b9c
Unverified Commit ef9a9b9c authored Mar 03, 2020 by alexpott
4 changed files
--- a/core/lib/Drupal/Core/Access/CsrfRequestHeaderAccessCheck.php
+++ b/core/lib/Drupal/Core/Access/CsrfRequestHeaderAccessCheck.php
@@ -53,9 +53,12 @@ public function applies(Route $route) {
    // REST requirement.
    $applicable_requirements = [
      '_csrf_request_header_token',
-      // @todo Remove _access_rest_csrf in Drupal 9.0.0.
+      // @todo Remove _access_rest_csrf in Drupal 10.0.0 https://www.drupal.org/node/3115308
      '_access_rest_csrf',
    ];
+    if ($route->hasRequirement('_access_rest_csrf')) {
+      @trigger_error('Route requirement _access_rest_csrf is deprecated in drupal:8.2.0 and is removed in drupal:10.0.0. Use _csrf_request_header_token instead. See https://www.drupal.org/node/2772399', E_USER_DEPRECATED);
+    }
    $requirement_keys = array_keys($requirements);

    if (array_intersect($applicable_requirements, $requirement_keys)) {

--- a/core/modules/system/tests/modules/csrf_test/csrf_test.routing.yml
+++ b/core/modules/system/tests/modules/csrf_test/csrf_test.routing.yml
@@ -9,7 +9,7 @@ csrf_test.protected:
 # Tests deprecated _access_rest_csrf protection.
 # This originally was in the REST module but now is supported in core/lib.
 # @see https://www.drupal.org/node/2753681
-# @todo Remove this test route in Drupal 9.0.0.
+# @todo Remove the route in drupal:10.0.0 https://www.drupal.org/node/3115308
 csrf_test.deprecated.protected:
  path: csrf/deprecated/protected
  defaults:
@@ -17,7 +17,7 @@ csrf_test.deprecated.protected:
  requirements:
    _access_rest_csrf: 'TRUE'
    _method: 'POST'
-# @todo This route can be removed in 8.3.
+# @todo Remove this route in drupal:10.0.0 https://www.drupal.org/node/3115308
 # @see \Drupal\Core\Access\CsrfRequestHeaderAccessCheck::access()
 csrf_test.deprecated.csrftoken:
  path: '/deprecated/session/token'

--- a/core/modules/system/tests/modules/csrf_test/src/Controller/DeprecatedCsrfTokenController.php
+++ b/core/modules/system/tests/modules/csrf_test/src/Controller/DeprecatedCsrfTokenController.php
@@ -12,7 +12,7 @@
 *
 * This controller tests using the deprecated CSRF token key 'rest'.
 *
- * @todo This class can be removed in 8.3.
+ * @todo Remove this before drupal:10.0.0 https://www.drupal.org/node/3115308
 *
 * @see \Drupal\Core\Access\CsrfRequestHeaderAccessCheck::access()
 */

--- a/core/modules/system/tests/src/Functional/CsrfRequestHeaderTest.php
+++ b/core/modules/system/tests/src/Functional/CsrfRequestHeaderTest.php
@@ -29,6 +29,9 @@ class CsrfRequestHeaderTest extends BrowserTestBase {
   *
   * This checks one route that uses _csrf_request_header_token and one that
   * uses the deprecated _access_rest_csrf.
+   *
+   * @group legacy
+   * @expectedDeprecation Route requirement _access_rest_csrf is deprecated in drupal:8.2.0 and is removed in drupal:10.0.0. Use _csrf_request_header_token instead. See https://www.drupal.org/node/2772399
   */
  public function testRouteAccess() {
    $client = $this->getHttpClient();