diff --git a/core/lib/Drupal/Core/Access/CsrfAccessCheck.php b/core/lib/Drupal/Core/Access/CsrfAccessCheck.php index 1f329ed..f3f6ee0 100644 --- a/core/lib/Drupal/Core/Access/CsrfAccessCheck.php +++ b/core/lib/Drupal/Core/Access/CsrfAccessCheck.php @@ -42,7 +42,7 @@ function __construct(CsrfTokenGenerator $csrf_token) { * {@inheritdoc} */ public function appliesTo() { - return array('_csrf'); + return array('_csrf_token'); } /** @@ -51,7 +51,7 @@ public function appliesTo() { public function access(Route $route, Request $request, AccountInterface $account) { // If this is the controller request, check CSRF access as normal. if ($request->attributes->get('_controller_request')) { - return $this->csrfToken->validate($request->query->get('token'), $route->getRequirement('_csrf')) ? static::ALLOW : static::KILL; + return $this->csrfToken->validate($request->query->get('token'), $route->getRequirement('_csrf_token')) ? static::ALLOW : static::KILL; } // Otherwise, this could be another requested access check that we don't diff --git a/core/lib/Drupal/Core/Access/RouteProcessorCsrf.php b/core/lib/Drupal/Core/Access/RouteProcessorCsrf.php index e9633a7..0fb075c 100644 --- a/core/lib/Drupal/Core/Access/RouteProcessorCsrf.php +++ b/core/lib/Drupal/Core/Access/RouteProcessorCsrf.php @@ -38,10 +38,10 @@ function __construct(CsrfTokenGenerator $csrf_token) { * {@inheritdoc} */ public function processOutbound(Route $route, array &$parameters) { - if ($route->hasRequirement('_csrf')) { + if ($route->hasRequirement('_csrf_token')) { // Adding this to the parameters means it will get merged into the query // string when the route is compiled. - $parameters['token'] = $this->csrfToken->get($route->getRequirement('_csrf')); + $parameters['token'] = $this->csrfToken->get($route->getRequirement('_csrf_token')); } } diff --git a/core/modules/shortcut/shortcut.routing.yml b/core/modules/shortcut/shortcut.routing.yml index 4f902a5..34dbac1 100644 --- a/core/modules/shortcut/shortcut.routing.yml +++ b/core/modules/shortcut/shortcut.routing.yml @@ -40,7 +40,7 @@ shortcut.link_add_inline: _controller: 'Drupal\shortcut\Controller\ShortcutSetController::addShortcutLinkInline' requirements: _entity_access: 'shortcut_set.update' - _csrf: 'shortcut-add-link' + _csrf_token: 'shortcut-add-link' shortcut.set_customize: path: '/admin/config/user-interface/shortcut/manage/{shortcut_set}' diff --git a/core/tests/Drupal/Tests/Core/Access/CsrfAccessCheckTest.php b/core/tests/Drupal/Tests/Core/Access/CsrfAccessCheckTest.php index 2a12387..8c10669 100644 --- a/core/tests/Drupal/Tests/Core/Access/CsrfAccessCheckTest.php +++ b/core/tests/Drupal/Tests/Core/Access/CsrfAccessCheckTest.php @@ -37,6 +37,13 @@ class CsrfAccessCheckTest extends UnitTestCase { */ protected $accessCheck; + /** + * The mock user account. + * + * @var \Drupal\Core\Session\AccountInterface|\PHPUnit_Framework_MockObject_MockObject + */ + protected $account; + public static function getInfo() { return array( 'name' => 'CSRF access checker', @@ -50,6 +57,8 @@ public function setUp() { ->disableOriginalConstructor() ->getMock(); + $this->account = $this->getMock('Drupal\Core\Session\AccountInterface'); + $this->accessCheck = new CsrfAccessCheck($this->csrfToken); } @@ -57,7 +66,7 @@ public function setUp() { * Tests CsrfAccessCheck::appliesTo(). */ public function testAppliesTo() { - $this->assertEquals($this->accessCheck->appliesTo(), array('_csrf'), 'Access checker returned the expected appliesTo() array.'); + $this->assertEquals($this->accessCheck->appliesTo(), array('_csrf_token'), 'Access checker returned the expected appliesTo() array.'); } /** @@ -69,14 +78,14 @@ public function testAccessTokenPass() { ->with('test_query', 'test') ->will($this->returnValue(TRUE)); - $route = new Route('', array(), array('_csrf' => 'test')); + $route = new Route('', array(), array('_csrf_token' => 'test')); $request = new Request(array( 'token' => 'test_query', )); // Set the _controller_request flag so tokens are validated. $request->attributes->set('_controller_request', TRUE); - $this->assertSame(AccessInterface::ALLOW, $this->accessCheck->access($route, $request)); + $this->assertSame(AccessInterface::ALLOW, $this->accessCheck->access($route, $request, $this->account)); } /** @@ -88,14 +97,14 @@ public function testAccessTokenFail() { ->with('test_query', 'test') ->will($this->returnValue(FALSE)); - $route = new Route('', array(), array('_csrf' => 'test')); + $route = new Route('', array(), array('_csrf_token' => 'test')); $request = new Request(array( 'token' => 'test_query', )); // Set the _controller_request flag so tokens are validated. $request->attributes->set('_controller_request', TRUE); - $this->assertSame(AccessInterface::KILL, $this->accessCheck->access($route, $request)); + $this->assertSame(AccessInterface::KILL, $this->accessCheck->access($route, $request, $this->account)); } /** @@ -107,12 +116,12 @@ public function testAccessTokenMissAny() { $this->csrfToken->expects($this->never()) ->method('validate'); - $route = new Route('', array(), array('_csrf' => 'test')); + $route = new Route('', array(), array('_csrf_token' => 'test')); $request = new Request(array( 'token' => 'test_query', )); - $this->assertSame(AccessInterface::DENY, $this->accessCheck->access($route, $request)); + $this->assertSame(AccessInterface::DENY, $this->accessCheck->access($route, $request, $this->account)); } /** @@ -124,12 +133,12 @@ public function testAccessTokenMissAll() { $this->csrfToken->expects($this->never()) ->method('validate'); - $route = new Route('', array(), array('_csrf' => 'test'), array('_access_mode' => 'ALL')); + $route = new Route('', array(), array('_csrf_token' => 'test'), array('_access_mode' => 'ALL')); $request = new Request(array( 'token' => 'test_query', )); - $this->assertSame(AccessInterface::ALLOW, $this->accessCheck->access($route, $request)); + $this->assertSame(AccessInterface::ALLOW, $this->accessCheck->access($route, $request, $this->account)); } } diff --git a/core/tests/Drupal/Tests/Core/Access/RouteProcessorCsrfTest.php b/core/tests/Drupal/Tests/Core/Access/RouteProcessorCsrfTest.php index f75cd5f..37eec23 100644 --- a/core/tests/Drupal/Tests/Core/Access/RouteProcessorCsrfTest.php +++ b/core/tests/Drupal/Tests/Core/Access/RouteProcessorCsrfTest.php @@ -52,7 +52,7 @@ public function setUp() { } /** - * Tests the processOutbound() method with no _csrf route requirement. + * Tests the processOutbound() method with no _csrf_token route requirement. */ public function testProcessOutboundNoRequirement() { $this->csrfToken->expects($this->never()) @@ -67,7 +67,7 @@ public function testProcessOutboundNoRequirement() { } /** - * Tests the processOutbound() method with a _csrf route requirement. + * Tests the processOutbound() method with a _csrf_token route requirement. */ public function testProcessOutbound() { $this->csrfToken->expects($this->once()) @@ -75,7 +75,7 @@ public function testProcessOutbound() { ->with('test') ->will($this->returnValue('test_token')); - $route = new Route('', array(), array('_csrf' => 'test')); + $route = new Route('', array(), array('_csrf_token' => 'test')); $parameters = array(); $this->processor->processOutbound($route, $parameters);