diff -u b/core/modules/simpletest/src/WebTestBase.php b/core/modules/simpletest/src/WebTestBase.php --- b/core/modules/simpletest/src/WebTestBase.php +++ b/core/modules/simpletest/src/WebTestBase.php @@ -407,7 +407,7 @@ // Make a request to the logout page, and redirect to the user page, the // idea being if you were properly logged out you should be seeing a login // screen. - $this->drupalPostForm('user/logout', [], t('Confirm'), ['query' => ['destination' => 'user/login']]); + $this->drupalPostForm('user/logout', [], 'Confirm', ['query' => ['destination' => 'user/login']]); $this->assertResponse(200, 'User was logged out.'); $pass = $this->assertField('name', 'Username field found.', 'Logout'); $pass = $pass && $this->assertField('pass', 'Password field found.', 'Logout'); diff -u b/core/modules/user/src/Controller/UserController.php b/core/modules/user/src/Controller/UserController.php --- b/core/modules/user/src/Controller/UserController.php +++ b/core/modules/user/src/Controller/UserController.php @@ -7,6 +7,7 @@ use Drupal\Core\Access\CsrfTokenGenerator; use Drupal\Core\Controller\ControllerBase; use Drupal\Core\Datetime\DateFormatterInterface; +use Drupal\user\Form\UserLogoutConfirm; use Drupal\user\Form\UserPasswordResetForm; use Drupal\user\UserDataInterface; use Drupal\user\UserInterface; @@ -295,15 +296,10 @@ public function logout(Request $request) { $token = $request->query->get('token'); - // Show confirm form when no csrf token is present. - if (!$token) { + // Show confirm form when no valid csrf token is present. + if (!$token || !$this->csrfToken->validate($token, 'user/logout')) { return $this->formBuilder() - ->getForm('\Drupal\user\Form\UserLogoutConfirm'); - } - if (!$this->csrfToken->validate($token, 'user/logout')) { - drupal_set_message($this->t('Invalid csrf token.'), 'error'); - - return $this->redirect(''); + ->getForm(UserLogoutConfirm::class); } user_logout(); return $this->redirect(''); diff -u b/core/modules/user/src/Form/UserLogoutConfirm.php b/core/modules/user/src/Form/UserLogoutConfirm.php --- b/core/modules/user/src/Form/UserLogoutConfirm.php +++ b/core/modules/user/src/Form/UserLogoutConfirm.php @@ -15,7 +15,7 @@ * {@inheritdoc} */ public function getDescription() { - return NULL; + return ''; } /** diff -u b/core/modules/user/tests/src/Functional/UserLogoutTest.php b/core/modules/user/tests/src/Functional/UserLogoutTest.php --- b/core/modules/user/tests/src/Functional/UserLogoutTest.php +++ b/core/modules/user/tests/src/Functional/UserLogoutTest.php @@ -22,12 +22,6 @@ protected function setUp() { parent::setUp(); - // Enable the theme. - \Drupal::service('theme_installer')->install(['bartik']); - $theme_config = \Drupal::configFactory()->getEditable('system.theme'); - $theme_config->set('default', 'bartik'); - $theme_config->save(); - $this->placeBlock('system_menu_block:account'); } @@ -40,11 +34,11 @@ // Test invalid csrf token. $this->drupalGet('user/logout', ['query' => ['token' => '123']]); - $this->assertSession()->pageTextContains('Invalid csrf token.'); + $this->assertSession()->buttonExists('Confirm'); $this->drupalGet('user'); - $this->getSession()->getPage()->clickLink(t('Log out')); - // Make sure user gets logged out. + $this->getSession()->getPage()->clickLink('Log out'); + // Make sure the user gets logged out. $this->drupalGet('user/login'); $this->assertSession()->fieldExists('name'); } reverted: --- b/core/modules/user/user.module +++ a/core/modules/user/user.module @@ -1328,7 +1328,6 @@ 'logout' => array( 'title' => t('Log out'), 'url' => Url::fromRoute('user.logout'), - 'route_name' => 'user.logout', ), ); // The "Edit user account" link is per-user. diff -u b/core/tests/Drupal/Tests/BrowserTestBase.php b/core/tests/Drupal/Tests/BrowserTestBase.php --- b/core/tests/Drupal/Tests/BrowserTestBase.php +++ b/core/tests/Drupal/Tests/BrowserTestBase.php @@ -797,7 +797,7 @@ // idea being if you were properly logged out you should be seeing a login // screen. $assert_session = $this->assertSession(); - $this->drupalPostForm('user/logout', [], t('Confirm'), ['query' => ['destination' => 'user']]); + $this->drupalPostForm('user/logout', [], 'Confirm', ['query' => ['destination' => 'user']]); $assert_session->statusCodeEquals(200); $assert_session->fieldExists('name'); $assert_session->fieldExists('pass');