Unverified Commit ef9a9b9c authored by Alex Pott's avatar Alex Pott
Browse files

Issue #3111506 by andypost, Gábor Hojtsy: Properly deprecate _access_rest_csrf route requirement

parent cee0a334

core/lib/Drupal/Core/Access/CsrfRequestHeaderAccessCheck.php

+4 −1
Original line number Diff line number Diff line
@@ -53,9 +53,12 @@ public function applies(Route $route) { 
    // REST requirement.

    $applicable_requirements = [

      '_csrf_request_header_token',

      // @todo Remove _access_rest_csrf in Drupal 9.0.0.

      // @todo Remove _access_rest_csrf in Drupal 10.0.0 https://www.drupal.org/node/3115308

      '_access_rest_csrf',

    ];

    if ($route->hasRequirement('_access_rest_csrf')) {

      @trigger_error('Route requirement _access_rest_csrf is deprecated in drupal:8.2.0 and is removed in drupal:10.0.0. Use _csrf_request_header_token instead. See https://www.drupal.org/node/2772399', E_USER_DEPRECATED);

    }

    $requirement_keys = array_keys($requirements);



    if (array_intersect($applicable_requirements, $requirement_keys)) {

core/modules/system/tests/modules/csrf_test/csrf_test.routing.yml

+2 −2
Original line number Diff line number Diff line
@@ -9,7 +9,7 @@ csrf_test.protected: 
# Tests deprecated _access_rest_csrf protection.

# This originally was in the REST module but now is supported in core/lib.

# @see https://www.drupal.org/node/2753681

# @todo Remove this test route in Drupal 9.0.0.

# @todo Remove the route in drupal:10.0.0 https://www.drupal.org/node/3115308

csrf_test.deprecated.protected:

  path: csrf/deprecated/protected

  defaults:
@@ -17,7 +17,7 @@ csrf_test.deprecated.protected: 
  requirements:

    _access_rest_csrf: 'TRUE'

    _method: 'POST'

# @todo This route can be removed in 8.3.

# @todo Remove this route in drupal:10.0.0 https://www.drupal.org/node/3115308

# @see \Drupal\Core\Access\CsrfRequestHeaderAccessCheck::access()

csrf_test.deprecated.csrftoken:

  path: '/deprecated/session/token'

core/modules/system/tests/modules/csrf_test/src/Controller/DeprecatedCsrfTokenController.php

+1 −1
Original line number Diff line number Diff line
@@ -12,7 +12,7 @@ 
 *

 * This controller tests using the deprecated CSRF token key 'rest'.

 *

 * @todo This class can be removed in 8.3.

 * @todo Remove this before drupal:10.0.0 https://www.drupal.org/node/3115308

 *

 * @see \Drupal\Core\Access\CsrfRequestHeaderAccessCheck::access()

 */

core/modules/system/tests/src/Functional/CsrfRequestHeaderTest.php

+3 −0
Original line number Diff line number Diff line
@@ -29,6 +29,9 @@ class CsrfRequestHeaderTest extends BrowserTestBase { 
   *

   * This checks one route that uses _csrf_request_header_token and one that

   * uses the deprecated _access_rest_csrf.

   *

   * @group legacy

   * @expectedDeprecation Route requirement _access_rest_csrf is deprecated in drupal:8.2.0 and is removed in drupal:10.0.0. Use _csrf_request_header_token instead. See https://www.drupal.org/node/2772399

   */

  public function testRouteAccess() {

    $client = $this->getHttpClient();