Issue #2507093 by claudiu.cristea, catch, timmillwood, dawehner: Don't...

Issue #2507093 by claudiu.cristea, catch, timmillwood, dawehner: Don't calculate the theme_token for ajaxPageState unless necessary

Issue #2507093 by claudiu.cristea, catch, timmillwood, dawehner: Don't...
767cec25 · Alex Pott · 57694c7d · 767cec25 · 767cec25
Commit 767cec25 authored 9 years ago by Alex Pott
--- a/core/modules/system/src/Tests/Theme/ThemeTokenTest.php
+++ b/core/modules/system/src/Tests/Theme/ThemeTokenTest.php
+<?php
+
+/**
+ * @file
+ * Contains \Drupal\system\Tests\Theme\ThemeTokenTest.
+ */
+
+namespace Drupal\system\Tests\Theme;
+
+use Drupal\simpletest\WebTestBase;
+
+/**
+ * Tests the generation of 'theme_token' key in Drupal settings.
+ *
+ * @group Theme
+ */
+class ThemeTokenTest extends WebTestBase {
+
+  /**
+   * We want to visit the 'admin/structure/block' page.
+   *
+   * @var array
+   */
+  static public $modules = ['block'];
+
+  /**
+   * {@inheritdoc}
+   */
+  protected function setUp() {
+    parent::setUp();
+    $account = $this->drupalCreateUser(['administer blocks', 'view the administration theme']);
+    $this->drupalLogin($account);
+  }
+
+  /**
+   * Tests if the 'theme_token' key of 'ajaxPageState' is computed.
+   */
+  public function testThemeToken() {
+    // Visit the block administrative page with default theme. We use that page
+    // because 'misc/ajax.js' is loaded there and we can test the token
+    // generation.
+    $this->drupalGet('admin/structure/block');
+    $settings = $this->getDrupalSettings();
+    $this->assertNull($settings['ajaxPageState']['theme_token']);
+
+    // Install 'seven' and configure it as administrative theme.
+    $this->container->get('theme_installer')->install(['seven']);
+    $this->config('system.theme')->set('admin', 'seven')->save();
+
+    // Revisit the page. This time the page is displayed using the 'seven' theme
+    // and that is different from the default theme ('classy').
+    $this->drupalGet('admin/structure/block');
+    $settings = $this->getDrupalSettings();
+    $this->assertNotNull($settings['ajaxPageState']['theme_token']);
+    // The CSRF token is a 43 length string.
+    $this->assertTrue(is_string($settings['ajaxPageState']['theme_token']));
+    $this->assertEqual(strlen($settings['ajaxPageState']['theme_token']), 43);
+  }
+
+}
--- a/core/modules/system/system.module
+++ b/core/modules/system/system.module
@@ -688,8 +688,14 @@ function system_js_settings_alter(&$settings, AttachedAssetsInterface $assets) {
  $library_dependency_resolver = \Drupal::service('library.dependency_resolver');
  if (isset($settings['ajaxPageState']) || in_array('core/drupal.ajax', $library_dependency_resolver->getLibrariesWithDependencies($assets->getAlreadyLoadedLibraries()))) {
    if (!defined('MAINTENANCE_MODE')) {
-      $settings['ajaxPageState']['theme_token'] = \Drupal::csrfToken()
-        ->get(\Drupal::theme()->getActiveTheme()->getName());
+      // The theme token is only validated when the theme requested is not the
+      // default, so don't generate it unless necessary.
+      // @see \Drupal\Core\Theme\AjaxBasePageNegotiator::determineActiveTheme()
+      $active_theme_key = \Drupal::theme()->getActiveTheme()->getName();
+      if ($active_theme_key !== \Drupal::service('theme_handler')->getDefault()) {
+        $settings['ajaxPageState']['theme_token'] = \Drupal::csrfToken()
+          ->get($active_theme_key);
+      }
    }
  }
 }