Abort validation when the token validation fails

+1

Heine, I've incorporated this change into my patch for #240828: "This form is outdated. Reload the page and try again" is incorrect and confuses users

I don't think the patch that made it in via #240828: "This form is outdated. Reload the page and try again" is incorrect and confuses users included a change to address this, right?

Forward port of fix from SA

SA followups are critical, marking as such.

1. +++ b/core/modules/system/lib/Drupal/system/Tests/Form/ValidationTest.php
   @@ -65,6 +65,18 @@ function testValidate() {
   +    // Verify that #validate handlers don't run if the CSRF token is invalid.
   

   Once #2131851: Form errors must be specific to a form and not a global is in this could be a nice unit test.

I have no other complaints otherwise.

+++ b/core/modules/system/lib/Drupal/system/Tests/Form/ElementsTableSelectTest.php
@@ -223,6 +223,9 @@ private function formSubmitHelper($form, $edit) {
+    $form_state['programmed'] = TRUE;

+++ b/core/modules/system/lib/Drupal/system/Tests/Form/FormTest.php
@@ -111,6 +111,9 @@ function testRequiredFields() {
+          $form_state['programmed'] = TRUE;

I was looking at FormBuilder tonight and noticed this:

      // Form constructors may explicitly set #token to FALSE when cross site
      // request forgery is irrelevant to the form, such as search forms.
      if (isset($form['#token']) && $form['#token'] === FALSE) {
        unset($form['#token']);
      }

So maybe that is a better option here?

Works for me

There are some issues with the current unit tests that shouldn't hold up this one, leaving the simpletest in place and making the #token => FALSE change.

15: token-validation-fapi-576276-15.patch queued for re-testing.

Okay, let's do that separately as well: #2143349: Submitting a form as an anonymous user when $form['#token'] = FALSE results in a notice

Then we're good

Committed/pushed to 8.x, thanks!