In D7, the views listing used tokens for the enable/disable AJAX links. Those got lost somehow.

Files: 
CommentFileSizeAuthor
#11 1798296-23.patch4.91 KBdamiankloip
PASSED: [[SimpleTest]]: [MySQL] 57,170 pass(es).
[ View ]
#11 interdiff-1798296-23.txt706 bytesdamiankloip
#9 2042487-9.patch4.9 KBdamiankloip
FAILED: [[SimpleTest]]: [MySQL] 57,156 pass(es), 13 fail(s), and 4 exception(s).
[ View ]
#9 interdiff-2042487-9.txt2.89 KBdamiankloip
#6 vdc-2042487-6.patch3.23 KBtim.plunkett
PASSED: [[SimpleTest]]: [MySQL] 57,179 pass(es).
[ View ]
#6 interdiff.txt2.85 KBtim.plunkett
#1 vdc-2042487-1-FAIL.patch967 bytestim.plunkett
FAILED: [[SimpleTest]]: [MySQL] 57,244 pass(es), 1 fail(s), and 0 exception(s).
[ View ]
#1 vdc-2042487-1-PASS.patch3.64 KBtim.plunkett
PASSED: [[SimpleTest]]: [MySQL] 57,170 pass(es).
[ View ]

Comments

tim.plunkett’s picture

Status:Active» Needs review
StatusFileSize
new3.64 KB
PASSED: [[SimpleTest]]: [MySQL] 57,170 pass(es).
[ View ]
new967 bytes
FAILED: [[SimpleTest]]: [MySQL] 57,244 pass(es), 1 fail(s), and 0 exception(s).
[ View ]

Here we go.

dawehner’s picture

+++ b/core/modules/views_ui/lib/Drupal/views_ui/Controller/ViewsUIController.phpundefined
@@ -164,25 +164,29 @@ public function reportPlugins() {
+    if (drupal_valid_token($request->query->get('token'), $op)) {

Other places like the OverlayController throw a 403 exception if the token is not valid.

damiankloip’s picture

+++ b/core/modules/views_ui/lib/Drupal/views_ui/Controller/ViewsUIController.phpundefined
@@ -164,25 +164,29 @@ public function reportPlugins() {
+    if (drupal_valid_token($request->query->get('token'), $op)) {

As dawehner mentioned above, I tihnk we should throw an error code response here.

Otherwise this is looking pretty good really.

dawehner’s picture

Status:Needs review» Needs work

So, we agree.

damiankloip’s picture

Absolutely

tim.plunkett’s picture

Status:Needs work» Needs review
StatusFileSize
new2.85 KB
new3.23 KB
PASSED: [[SimpleTest]]: [MySQL] 57,179 pass(es).
[ View ]

Indubitably

dawehner’s picture

Status:Needs review» Needs work
+++ b/core/modules/views_ui/lib/Drupal/views_ui/Controller/ViewsUIController.phpundefined
@@ -164,12 +165,20 @@ public function reportPlugins() {
+   * @throws \Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException
    */

Let's also describe when this exception is thrown.

+++ b/core/modules/views_ui/lib/Drupal/views_ui/Controller/ViewsUIController.phpundefined
@@ -182,7 +191,7 @@ public function ajaxOperation(ViewStorageInterface $view, $op, Request $request)
     return new RedirectResponse(url('admin/structure/views', array('absolute' => TRUE)));

Just as a side-node, we could already use the urlgenerator->generate() method directly. (Feel free to open a new issue for it)

tstoeckler’s picture

Priority:Normal» Critical

Pretty sure this is critical, as it's security-related. (And also a regression, apparently.)

damiankloip’s picture

Status:Needs work» Needs review
StatusFileSize
new2.89 KB
new4.9 KB
FAILED: [[SimpleTest]]: [MySQL] 57,156 pass(es), 13 fail(s), and 4 exception(s).
[ View ]

Let's do this then.

Status:Needs review» Needs work

The last submitted patch, 2042487-9.patch, failed testing.

damiankloip’s picture

Status:Needs work» Needs review
StatusFileSize
new706 bytes
new4.91 KB
PASSED: [[SimpleTest]]: [MySQL] 57,170 pass(es).
[ View ]

Oops

dawehner’s picture

It seems to be that the patch is missing a test which ensures that enable/disable via UI actually works.

damiankloip’s picture

Doesn't Drupal\views_ui\Tests\DefaultViewsTest already test this stuff? That enables and disables views in the UI. That test should probably be broken out somehow, but not here.

dawehner’s picture

Status:Needs review» Reviewed & tested by the community

OH i am sorry, and confused this up with the other test class called "DefaultViewsTest"...

damiankloip’s picture

Yeah, we named that one really really well! :)

catch’s picture

Status:Reviewed & tested by the community» Fixed

Committed/pushed to 8.x, thanks!

Automatically closed -- issue fixed for 2 weeks with no activity.