Token checking for Views enable/disable is missing

+++ b/core/modules/views_ui/lib/Drupal/views_ui/Controller/ViewsUIController.phpundefined
@@ -164,25 +164,29 @@ public function reportPlugins() {
+    if (drupal_valid_token($request->query->get('token'), $op)) {

Other places like the OverlayController throw a 403 exception if the token is not valid.

+++ b/core/modules/views_ui/lib/Drupal/views_ui/Controller/ViewsUIController.phpundefined
@@ -164,25 +164,29 @@ public function reportPlugins() {
+    if (drupal_valid_token($request->query->get('token'), $op)) {

As dawehner mentioned above, I tihnk we should throw an error code response here.

Otherwise this is looking pretty good really.

So, we agree.

Absolutely

+++ b/core/modules/views_ui/lib/Drupal/views_ui/Controller/ViewsUIController.phpundefined
@@ -164,12 +165,20 @@ public function reportPlugins() {
+   * @throws \Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException
    */

Let's also describe when this exception is thrown.

+++ b/core/modules/views_ui/lib/Drupal/views_ui/Controller/ViewsUIController.phpundefined
@@ -182,7 +191,7 @@ public function ajaxOperation(ViewStorageInterface $view, $op, Request $request)
     return new RedirectResponse(url('admin/structure/views', array('absolute' => TRUE)));

Just as a side-node, we could already use the urlgenerator->generate() method directly. (Feel free to open a new issue for it)

Pretty sure this is critical, as it's security-related. (And also a regression, apparently.)

Let's do this then.

Oops

It seems to be that the patch is missing a test which ensures that enable/disable via UI actually works.

Doesn't Drupal\views_ui\Tests\DefaultViewsTest already test this stuff? That enables and disables views in the UI. That test should probably be broken out somehow, but not here.

OH i am sorry, and confused this up with the other test class called "DefaultViewsTest"...

Yeah, we named that one really really well! :)

Committed/pushed to 8.x, thanks!