From 7782b2baff0219110a952cbaaa167aea3a19aa72 Mon Sep 17 00:00:00 2001
From: Marcos Cano <marcoscano@1288796.no-reply.drupal.org>
Date: Thu, 13 Mar 2025 10:33:26 +0100
Subject: [PATCH 1/2] Fix csrf on favorites route

---
 tests/src/FunctionalJavascript/FavoritesTest.php | 6 ++++++
 type_tray.routing.yml                            | 1 +
 2 files changed, 7 insertions(+)

diff --git a/tests/src/FunctionalJavascript/FavoritesTest.php b/tests/src/FunctionalJavascript/FavoritesTest.php
index 5535494..739f58b 100644
--- a/tests/src/FunctionalJavascript/FavoritesTest.php
+++ b/tests/src/FunctionalJavascript/FavoritesTest.php
@@ -112,6 +112,12 @@ class FavoritesTest extends TypeTrayWebDriverTestBase {
     $favorite_link = $assert_session->elementExists('css', '.type-tray-teaser--one .favorite-link');
     $favorite_link->click();
     $this->saveHtmlOutput();
+    // Verify the route is protected against CSRF, so visiting the bare URL
+    // doesn't remove it from favorites.
+    $this->drupalGet('/type-tray/favorites-action/one/remove');
+    $assert_session->pageTextContains('Favorites');
+    $assert_session->elementExists('css', '.type-tray-category.category--type-tray__favorites');
+    $assert_session->elementExists('css', '.type-tray-category.category--type-tray__favorites .type-tray-teaser--one');
 
     // Log in as a different user and verify the favorites don't mix up.
     $user2 = $this->createUser([
diff --git a/type_tray.routing.yml b/type_tray.routing.yml
index 32d7f46..3448d37 100644
--- a/type_tray.routing.yml
+++ b/type_tray.routing.yml
@@ -13,3 +13,4 @@ type_tray.favorites:
     _title: 'Type Tray - Process favorites'
   requirements:
     _role: 'authenticated'
+    _csrf_token: 'TRUE'
-- 
GitLab


From b9ecd62c1bc0502f914d1fac9d7b62a9f2f96ff5 Mon Sep 17 00:00:00 2001
From: Marcos Cano <marcoscano@1288796.no-reply.drupal.org>
Date: Thu, 13 Mar 2025 10:39:54 +0100
Subject: [PATCH 2/2] Come back to the type tray page after a 403

---
 tests/src/FunctionalJavascript/FavoritesTest.php | 1 +
 1 file changed, 1 insertion(+)

diff --git a/tests/src/FunctionalJavascript/FavoritesTest.php b/tests/src/FunctionalJavascript/FavoritesTest.php
index 739f58b..9bd7075 100644
--- a/tests/src/FunctionalJavascript/FavoritesTest.php
+++ b/tests/src/FunctionalJavascript/FavoritesTest.php
@@ -115,6 +115,7 @@ class FavoritesTest extends TypeTrayWebDriverTestBase {
     // Verify the route is protected against CSRF, so visiting the bare URL
     // doesn't remove it from favorites.
     $this->drupalGet('/type-tray/favorites-action/one/remove');
+    $this->drupalGet('/node/add');
     $assert_session->pageTextContains('Favorites');
     $assert_session->elementExists('css', '.type-tray-category.category--type-tray__favorites');
     $assert_session->elementExists('css', '.type-tray-category.category--type-tray__favorites .type-tray-teaser--one');
-- 
GitLab