Issue #3111506 by andypost, Gábor Hojtsy: Properly deprecate _access_…

…rest_csrf route requirement (cherry picked from commit ef9a9b9c1b08d01cad167a91f254410c0de8cbce)
drupal · Mar 3, 2020 · 3712f4a · 3712f4a
1 parent 9066799
commit 3712f4a
Show file tree

Hide file tree

Showing 4 changed files with 10 additions and 4 deletions.
diff --git a/lib/Drupal/Core/Access/CsrfRequestHeaderAccessCheck.php b/lib/Drupal/Core/Access/CsrfRequestHeaderAccessCheck.php
@@ -53,9 +53,12 @@ public function applies(Route $route) {
     // REST requirement.
     $applicable_requirements = [
       '_csrf_request_header_token',
-      // @todo Remove _access_rest_csrf in Drupal 9.0.0.
+      // @todo Remove _access_rest_csrf in Drupal 10.0.0 https://www.drupal.org/node/3115308
       '_access_rest_csrf',
     ];
+    if ($route->hasRequirement('_access_rest_csrf')) {
+      @trigger_error('Route requirement _access_rest_csrf is deprecated in drupal:8.2.0 and is removed in drupal:10.0.0. Use _csrf_request_header_token instead. See https://www.drupal.org/node/2772399', E_USER_DEPRECATED);
+    }
     $requirement_keys = array_keys($requirements);
 
     if (array_intersect($applicable_requirements, $requirement_keys)) {

diff --git a/modules/system/tests/modules/csrf_test/csrf_test.routing.yml b/modules/system/tests/modules/csrf_test/csrf_test.routing.yml
@@ -9,15 +9,15 @@ csrf_test.protected:
 # Tests deprecated _access_rest_csrf protection.
 # This originally was in the REST module but now is supported in core/lib.
 # @see https://www.drupal.org/node/2753681
-# @todo Remove this test route in Drupal 9.0.0.
+# @todo Remove the route in drupal:10.0.0 https://www.drupal.org/node/3115308
 csrf_test.deprecated.protected:
   path: csrf/deprecated/protected
   defaults:
     _controller: '\Drupal\csrf_test\Controller\TestController::testMethod'
   requirements:
     _access_rest_csrf: 'TRUE'
     _method: 'POST'
-# @todo This route can be removed in 8.3.
+# @todo Remove this route in drupal:10.0.0 https://www.drupal.org/node/3115308
 # @see \Drupal\Core\Access\CsrfRequestHeaderAccessCheck::access()
 csrf_test.deprecated.csrftoken:
   path: '/deprecated/session/token'

diff --git a/modules/system/tests/modules/csrf_test/src/Controller/DeprecatedCsrfTokenController.php b/modules/system/tests/modules/csrf_test/src/Controller/DeprecatedCsrfTokenController.php
@@ -12,7 +12,7 @@
  *
  * This controller tests using the deprecated CSRF token key 'rest'.
  *
- * @todo This class can be removed in 8.3.
+ * @todo Remove this before drupal:10.0.0 https://www.drupal.org/node/3115308
  *
  * @see \Drupal\Core\Access\CsrfRequestHeaderAccessCheck::access()
  */

diff --git a/modules/system/tests/src/Functional/CsrfRequestHeaderTest.php b/modules/system/tests/src/Functional/CsrfRequestHeaderTest.php
@@ -29,6 +29,9 @@ class CsrfRequestHeaderTest extends BrowserTestBase {
    *
    * This checks one route that uses _csrf_request_header_token and one that
    * uses the deprecated _access_rest_csrf.
+   *
+   * @group legacy
+   * @expectedDeprecation Route requirement _access_rest_csrf is deprecated in drupal:8.2.0 and is removed in drupal:10.0.0. Use _csrf_request_header_token instead. See https://www.drupal.org/node/2772399
    */
   public function testRouteAccess() {
     $client = $this->getHttpClient();