Merge pull request #6620 from tigrang/custom_csrf_exception

Added InvalidCsrfTokenException. Implements #6546
cakephp · May 23, 2015 · 85a8f8a · 85a8f8a
2 parents 7f3e7d9 + 08a0e8c
commit 85a8f8a
Show file tree

Hide file tree

Showing 3 changed files with 44 additions and 9 deletions.
diff --git a/src/Controller/Component/CsrfComponent.php b/src/Controller/Component/CsrfComponent.php
@@ -16,7 +16,7 @@
 
 use Cake\Controller\Component;
 use Cake\Event\Event;
-use Cake\Network\Exception\ForbiddenException;
+use Cake\Network\Exception\InvalidCsrfTokenException;
 use Cake\Network\Request;
 use Cake\Network\Response;
 use Cake\Utility\Security;
@@ -30,7 +30,7 @@
  * PUT, or DELETE request.
  *
  * If the request data is missing or does not match the cookie data,
- * a ForbiddenException will be raised.
+ * an InvalidCsrfTokenException will be raised.
  *
  * This component integrates with the FormHelper automatically and when
  * used together your forms will have CSRF tokens automatically added
@@ -135,7 +135,7 @@ protected function _setCookie(Request $request, Response $response)
      * Validate the request data against the cookie token.
      *
      * @param \Cake\Network\Request $request The request to validate against.
-     * @throws \Cake\Network\Exception\ForbiddenException when the CSRF token is invalid or missing.
+     * @throws \Cake\Network\Exception\InvalidCsrfTokenException when the CSRF token is invalid or missing.
      * @return void
      */
     protected function _validateToken(Request $request)
@@ -145,11 +145,11 @@ protected function _validateToken(Request $request)
         $header = $request->header('X-CSRF-Token');
 
         if (empty($cookie)) {
-            throw new ForbiddenException(__d('cake', 'Invalid CSRF token.'));
+            throw new InvalidCsrfTokenException(__d('cake', 'Missing CSRF token cookie'));
         }
 
         if ($post !== $cookie && $header !== $cookie) {
-            throw new ForbiddenException(__d('cake', 'Invalid CSRF token.'));
+            throw new InvalidCsrfTokenException(__d('cake', 'CSRF token mismatch.'));
         }
     }
 }
diff --git a/src/Network/Exception/InvalidCsrfTokenException.php b/src/Network/Exception/InvalidCsrfTokenException.php
@@ -0,0 +1,35 @@
+<?php
+/**
+ * CakePHP(tm) : Rapid Development Framework (http://cakephp.org)
+ * Copyright (c) Cake Software Foundation, Inc. (http://cakefoundation.org)
+ *
+ * Licensed under The MIT License
+ * Redistributions of files must retain the above copyright notice.
+ *
+ * @copyright     Copyright (c) Cake Software Foundation, Inc. (http://cakefoundation.org)
+ * @since         3.1.0
+ * @license       http://www.opensource.org/licenses/mit-license.php MIT License
+ */
+namespace Cake\Network\Exception;
+
+/**
+ * Represents an HTTP 403 error caused by an invalid CSRF token
+ *
+ */
+class InvalidCsrfTokenException extends HttpException
+{
+
+    /**
+     * Constructor
+     *
+     * @param string $message If no message is given 'Invalid  CSRF Token' will be the message
+     * @param int $code Status code, defaults to 403
+     */
+    public function __construct($message = null, $code = 403)
+    {
+        if (empty($message)) {
+            $message = 'Invalid  CSRF Token';
+        }
+        parent::__construct($message, $code);
+    }
+}
diff --git a/tests/TestCase/Controller/Component/CsrfComponentTest.php b/tests/TestCase/Controller/Component/CsrfComponentTest.php
@@ -115,7 +115,7 @@ public function testValidTokenInHeader($method)
      * Test that the X-CSRF-Token works with the various http methods.
      *
      * @dataProvider httpMethodProvider
-     * @expectedException \Cake\Network\Exception\ForbiddenException
+     * @expectedException \Cake\Network\Exception\InvalidCsrfTokenException
      * @return void
      * @triggers Controller.startup $controller
      */
@@ -161,7 +161,7 @@ public function testValidTokenRequestData($method)
      * Test that request data works with the various http methods.
      *
      * @dataProvider httpMethodProvider
-     * @expectedException \Cake\Network\Exception\ForbiddenException
+     * @expectedException \Cake\Network\Exception\InvalidCsrfTokenException
      * @return void
      */
     public function testInvalidTokenRequestData($method)
@@ -182,7 +182,7 @@ public function testInvalidTokenRequestData($method)
     /**
      * Test that missing post field fails
      *
-     * @expectedException \Cake\Network\Exception\ForbiddenException
+     * @expectedException \Cake\Network\Exception\InvalidCsrfTokenException
      * @return void
      */
     public function testInvalidTokenRequestDataMissing()
@@ -204,7 +204,7 @@ public function testInvalidTokenRequestDataMissing()
      * Test that missing header and cookie fails
      *
      * @dataProvider httpMethodProvider
-     * @expectedException \Cake\Network\Exception\ForbiddenException
+     * @expectedException \Cake\Network\Exception\InvalidCsrfTokenException
      * @return void
      */
     public function testInvalidTokenMissingCookie($method)