From 4d794e127ffe0596a025c27646b03abd419a4397 Mon Sep 17 00:00:00 2001
From: Thijs Boots <thijs@thesavvyfew.com>
Date: Wed, 16 Apr 2025 15:52:07 +0200
Subject: [PATCH 1/2] Rebase to 11.x

---
 .../toolbar/src/Controller/ToolbarController.php       | 10 ++++++----
 core/modules/toolbar/toolbar.module                    |  2 +-
 2 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/core/modules/toolbar/src/Controller/ToolbarController.php b/core/modules/toolbar/src/Controller/ToolbarController.php
index 8d25465ffd08..2763dd746ac1 100644
--- a/core/modules/toolbar/src/Controller/ToolbarController.php
+++ b/core/modules/toolbar/src/Controller/ToolbarController.php
@@ -34,10 +34,13 @@ public function __construct(
    * @return \Drupal\Core\Ajax\AjaxResponse
    *   The AJAX response containing the rendered toolbar subtrees.
    */
-  public function subtreesAjax() {
+  public function subtreesAjax($hash) {
     [$subtrees] = toolbar_get_rendered_subtrees();
+    $expected_hash = _toolbar_get_subtrees_hash()[0];
     $response = new AjaxResponse();
-    $response->addCommand(new SetSubtreesCommand($subtrees));
+    if (hash_equals($expected_hash, $hash)) {
+      $response->addCommand(new SetSubtreesCommand($subtrees));
+    }
 
     // The Expires HTTP header is the heart of the client-side HTTP caching. The
     // additional server-side page cache only takes effect when the client
@@ -64,8 +67,7 @@ public function subtreesAjax() {
    *   The access result.
    */
   public function checkSubTreeAccess($hash) {
-    $expected_hash = _toolbar_get_subtrees_hash()[0];
-    return AccessResult::allowedIf($this->currentUser()->hasPermission('access toolbar') && hash_equals($expected_hash, $hash))->cachePerPermissions();
+    return AccessResult::allowedIf($this->currentUser()->hasPermission('access toolbar'))->cachePerPermissions();
   }
 
   /**
diff --git a/core/modules/toolbar/toolbar.module b/core/modules/toolbar/toolbar.module
index 51986310901c..b8619002306f 100644
--- a/core/modules/toolbar/toolbar.module
+++ b/core/modules/toolbar/toolbar.module
@@ -165,6 +165,6 @@ function toolbar_get_rendered_subtrees() {
  */
 function _toolbar_get_subtrees_hash() {
   [$subtrees, $cacheability] = toolbar_get_rendered_subtrees();
-  $hash = Crypt::hashBase64(serialize($subtrees));
+  $hash = Crypt::hashBase64(serialize(array_keys($subtrees)));
   return [$hash, $cacheability];
 }
-- 
GitLab


From 3d4662788f738d29aafc34fbe1108bd3df4858d9 Mon Sep 17 00:00:00 2001
From: Thijs Boots <thijs@thesavvyfew.com>
Date: Thu, 17 Apr 2025 14:48:54 +0200
Subject: [PATCH 2/2] Adding param documentation and typehint

---
 core/modules/toolbar/src/Controller/ToolbarController.php | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/core/modules/toolbar/src/Controller/ToolbarController.php b/core/modules/toolbar/src/Controller/ToolbarController.php
index 2763dd746ac1..f15de6241dac 100644
--- a/core/modules/toolbar/src/Controller/ToolbarController.php
+++ b/core/modules/toolbar/src/Controller/ToolbarController.php
@@ -31,10 +31,13 @@ public function __construct(
   /**
    * Returns an AJAX response to render the toolbar subtrees.
    *
+   * @param string $hash
+   *   The hash of the toolbar subtrees to validate.
+   *
    * @return \Drupal\Core\Ajax\AjaxResponse
    *   The AJAX response containing the rendered toolbar subtrees.
    */
-  public function subtreesAjax($hash) {
+  public function subtreesAjax(string $hash) {
     [$subtrees] = toolbar_get_rendered_subtrees();
     $expected_hash = _toolbar_get_subtrees_hash()[0];
     $response = new AjaxResponse();
-- 
GitLab