Fixed handling of CSRF logout error

wouterj · wouterj · commit 27d66979f982 · 2020-05-26T16:53:18.000+02:00
diff --git a/src/Symfony/Component/Security/Http/Firewall/ExceptionListener.php b/src/Symfony/Component/Security/Http/Firewall/ExceptionListener.php
@@ -174,8 +174,10 @@ private function handleAccessDeniedException(GetResponseForExceptionEvent $event
 
     private function handleLogoutException(LogoutException $exception)
     {
+        $event->setException(new AccessDeniedHttpException($exception->getMessage(), $exception));
+
         if (null !== $this->logger) {
-            $this->logger->info('A LogoutException was thrown.', ['exception' => $exception]);
+            $this->logger->info('A LogoutException was thrown; wrapping with AccessDeniedHttpException', ['exception' => $exception]);
         }
     }
 
diff --git a/src/Symfony/Component/Security/Http/Tests/Firewall/ExceptionListenerTest.php b/src/Symfony/Component/Security/Http/Tests/Firewall/ExceptionListenerTest.php
@@ -160,6 +160,17 @@ public function testAccessDeniedExceptionNotFullFledged(\Exception $exception, \
         $this->assertSame(null === $eventException ? $exception : $eventException, $event->getException()->getPrevious());
     }
 
+    public function testLogoutException()
+    {
+        $event = $this->createEvent(new LogoutException('Invalid CSRF.'));
+
+        $listener = $this->createExceptionListener();
+        $listener->onKernelException($event);
+
+        $this->assertEquals('Forbidden', $event->getResponse()->getContent());
+        $this->assertEquals(403, $event->getResponse()->getStatusCode());
+    }
+
     public function getAccessDeniedExceptionProvider()
     {
         return [

Original file line number	Diff line number	Diff line change
`@@ -174,8 +174,10 @@ private function handleAccessDeniedException(GetResponseForExceptionEvent $event`
`174`	`174`
`175`	`175`	`private function handleLogoutException(LogoutException $exception)`
`176`	`176`	`{`
	`177`	`+ $event->setException(new AccessDeniedHttpException($exception->getMessage(), $exception));`
	`178`	`+`
`177`	`179`	`if (null !== $this->logger) {`
`178`		`- $this->logger->info('A LogoutException was thrown.', ['exception' => $exception]);`
	`180`	`+ $this->logger->info('A LogoutException was thrown; wrapping with AccessDeniedHttpException', ['exception' => $exception]);`
`179`	`181`	`}`
`180`	`182`	`}`
`181`	`183`