diff --git a/core/modules/views_ui/lib/Drupal/views_ui/Controller/ViewsUIController.php b/core/modules/views_ui/lib/Drupal/views_ui/Controller/ViewsUIController.php
index df462ba..8c1a9af 100644
--- a/core/modules/views_ui/lib/Drupal/views_ui/Controller/ViewsUIController.php
+++ b/core/modules/views_ui/lib/Drupal/views_ui/Controller/ViewsUIController.php
@@ -21,6 +21,7 @@
 use Symfony\Component\HttpFoundation\RedirectResponse;
 use Drupal\Core\Ajax\AjaxResponse;
 use Drupal\Core\Ajax\ReplaceCommand;
+use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
 
 /**
  * Returns responses for Views UI routes.
@@ -170,19 +171,23 @@ public function reportPlugins() {
    * @return \Drupal\Core\Ajax\AjaxResponse|\Symfony\Component\HttpFoundation\RedirectResponse
    *   Either returns a rebuilt listing page as an AJAX response, or redirects
    *   back to the listing page.
+   *
+   * @throws \Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException
    */
   public function ajaxOperation(ViewStorageInterface $view, $op, Request $request) {
-    if (drupal_valid_token($request->query->get('token'), $op)) {
-      // Perform the operation.
-      $view->$op()->save();
-
-      // If the request is via AJAX, return the rendered list as JSON.
-      if ($request->request->get('js')) {
-        $list = $this->entityManager->getListController('view')->render();
-        $response = new AjaxResponse();
-        $response->addCommand(new ReplaceCommand('#views-entity-list', drupal_render($list)));
-        return $response;
-      }
+    if (!drupal_valid_token($request->query->get('token'), $op)) {
+      throw new AccessDeniedHttpException();
+    }
+
+    // Perform the operation.
+    $view->$op()->save();
+
+    // If the request is via AJAX, return the rendered list as JSON.
+    if ($request->request->get('js')) {
+      $list = $this->entityManager->getListController('view')->render();
+      $response = new AjaxResponse();
+      $response->addCommand(new ReplaceCommand('#views-entity-list', drupal_render($list)));
+      return $response;
     }
 
     // Otherwise, redirect back to the page.
diff --git a/core/modules/views_ui/lib/Drupal/views_ui/Tests/DefaultViewsTest.php b/core/modules/views_ui/lib/Drupal/views_ui/Tests/DefaultViewsTest.php
index bff6b04..ed147ab 100644
--- a/core/modules/views_ui/lib/Drupal/views_ui/Tests/DefaultViewsTest.php
+++ b/core/modules/views_ui/lib/Drupal/views_ui/Tests/DefaultViewsTest.php
@@ -158,8 +158,7 @@ function testSplitListing() {
 
     // Attempt to disable the view by path directly, with no token.
     $this->drupalGet('admin/structure/views/view/test_view_status/disable');
-    $elements = $this->xpath($xpath, $arguments);
-    $this->assertIdentical(count($elements), 1, 'After a failed attempt to disable the view, it is still found in the enabled views table.');
+    $this->assertResponse(403);
   }
 
   /**