Merge branch '1.1' into 1.2

* 1.1:
  Make sure Admin API does not require CSRF protection
  Exception while apply refund transition
  Fix cancel order button in the admin panel
  Make Travis passing again

src/Sylius/Bundle/AdminApiBundle/Resources/config/routing/order.yml

@@ -20,6 +20,7 @@ sylius_admin_api_order_cancel:
             state_machine:
                 graph: sylius_order
                 transition: cancel
+            csrf_protection: false
             return_content: false
 
 sylius_admin_api_order_shipment_ship:

src/Sylius/Bundle/AdminApiBundle/Resources/config/routing/product_review.yml

@@ -78,6 +78,7 @@ sylius_admin_api_product_review_accept:
             state_machine:
                 graph: sylius_product_review
                 transition: accept
+            csrf_protection: false
 
 sylius_admin_api_product_review_reject:
     path: /reviews/{id}/reject
@@ -88,3 +89,4 @@ sylius_admin_api_product_review_reject:
             state_machine:
                 graph: sylius_product_review
                 transition: reject
+            csrf_protection: false

src/Sylius/Bundle/AdminBundle/Menu/OrderShowMenuBuilder.php

@@ -19,6 +19,7 @@
 use Sylius\Bundle\AdminBundle\Event\OrderShowMenuBuilderEvent;
 use Sylius\Component\Order\OrderTransitions;
 use Symfony\Component\EventDispatcher\EventDispatcherInterface;
+use Symfony\Component\Security\Csrf\CsrfTokenManagerInterface;
 
 final class OrderShowMenuBuilder
 {
@@ -40,18 +41,20 @@ final class OrderShowMenuBuilder
     private $stateMachineFactory;
 
     /**
-     * @param FactoryInterface $factory
-     * @param EventDispatcherInterface $eventDispatcher
-     * @param StateMachineFactoryInterface $stateMachineFactory,
+     * @var CsrfTokenManagerInterface
      */
+    private $csrfTokenManager;
+
     public function __construct(
         FactoryInterface $factory,
         EventDispatcherInterface $eventDispatcher,
-        StateMachineFactoryInterface $stateMachineFactory
+        StateMachineFactoryInterface $stateMachineFactory,
+        CsrfTokenManagerInterface $csrfTokenManager
     ) {
         $this->factory = $factory;
         $this->eventDispatcher = $eventDispatcher;
         $this->stateMachineFactory = $stateMachineFactory;
+        $this->csrfTokenManager = $csrfTokenManager;
     }
 
     /**
@@ -84,7 +87,10 @@ public function createMenu(array $options): ItemInterface
             $menu
                 ->addChild('cancel', [
                     'route' => 'sylius_admin_order_cancel',
-                    'routeParameters' => ['id' => $order->getId()],
+                    'routeParameters' => [
+                        'id' => $order->getId(),
+                        '_csrf_token' => $this->csrfTokenManager->getToken((string) $order->getId())->getValue(),
+                    ],
                 ])
                 ->setAttribute('type', 'transition')
                 ->setLabel('sylius.ui.cancel')

src/Sylius/Bundle/AdminBundle/Resources/config/services/menu.xml

@@ -31,6 +31,7 @@
             <argument type="service" id="knp_menu.factory" />
             <argument type="service" id="event_dispatcher" />
             <argument type="service" id="sm.factory" />
+            <argument type="service" id="security.csrf.token_manager" />
             <tag name="knp_menu.menu_builder" method="createMenu" alias="sylius.admin.order.show" />
         </service>
 

src/Sylius/Bundle/ResourceBundle/Controller/ResourceController.php

@@ -543,7 +543,7 @@ public function applyStateMachineTransitionAction(Request $request): Response
         $this->isGrantedOr403($configuration, ResourceActions::UPDATE);
         $resource = $this->findOr404($configuration);
 
-        if ($configuration->isCsrfProtectionEnabled() && !$this->isCsrfTokenValid($resource->getId(), $request->request->get('_csrf_token'))) {
+        if ($configuration->isCsrfProtectionEnabled() && !$this->isCsrfTokenValid((string) $resource->getId(), $request->get('_csrf_token'))) {
             throw new HttpException(Response::HTTP_FORBIDDEN, 'Invalid CSRF token.');
         }
 

src/Sylius/Bundle/ResourceBundle/spec/Controller/ResourceControllerSpec.php

@@ -2042,6 +2042,8 @@ function it_does_not_apply_state_machine_transition_on_resource_if_not_applicabl
         ResourceInterface $resource,
         FlashHelperInterface $flashHelper,
         EventDispatcherInterface $eventDispatcher,
+        CsrfTokenManagerInterface $csrfTokenManager,
+        ContainerInterface $container,
         ResourceControllerEvent $event,
         Request $request
     ): void {
@@ -2051,10 +2053,18 @@ function it_does_not_apply_state_machine_transition_on_resource_if_not_applicabl
         $requestConfigurationFactory->create($metadata, $request)->willReturn($configuration);
         $configuration->hasPermission()->willReturn(true);
         $configuration->getPermission(ResourceActions::UPDATE)->willReturn('sylius.product.update');
+        $configuration->isCsrfProtectionEnabled()->willReturn(true);
+        $request->get('_csrf_token')->willReturn('xyz');
+
+        $container->has('security.csrf.token_manager')->willReturn(true);
+        $container->get('security.csrf.token_manager')->willReturn($csrfTokenManager);
+        $csrfTokenManager->isTokenValid(new CsrfToken('1', 'xyz'))->willReturn(true);
 
         $authorizationChecker->isGranted($configuration, 'sylius.product.update')->willReturn(true);
         $singleResourceProvider->get($configuration, $repository)->willReturn($resource);
 
+        $resource->getId()->willReturn('1');
+
         $configuration->isHtmlRequest()->willReturn(true);
 
         $eventDispatcher->dispatchPreEvent(ResourceActions::UPDATE, $configuration, $resource)->willReturn($event);
@@ -2085,6 +2095,8 @@ function it_applies_state_machine_transition_to_resource_and_redirects_for_html_
         FlashHelperInterface $flashHelper,
         AuthorizationCheckerInterface $authorizationChecker,
         EventDispatcherInterface $eventDispatcher,
+        CsrfTokenManagerInterface $csrfTokenManager,
+        ContainerInterface $container,
         StateMachineInterface $stateMachine,
         ResourceUpdateHandlerInterface $resourceUpdateHandler,
         RequestConfiguration $configuration,
@@ -2100,10 +2112,18 @@ function it_applies_state_machine_transition_to_resource_and_redirects_for_html_
         $requestConfigurationFactory->create($metadata, $request)->willReturn($configuration);
         $configuration->hasPermission()->willReturn(true);
         $configuration->getPermission(ResourceActions::UPDATE)->willReturn('sylius.product.update');
+        $configuration->isCsrfProtectionEnabled()->willReturn(true);
+        $request->get('_csrf_token')->willReturn('xyz');
+
+        $container->has('security.csrf.token_manager')->willReturn(true);
+        $container->get('security.csrf.token_manager')->willReturn($csrfTokenManager);
+        $csrfTokenManager->isTokenValid(new CsrfToken('1', 'xyz'))->willReturn(true);
 
         $authorizationChecker->isGranted($configuration, 'sylius.product.update')->willReturn(true);
         $singleResourceProvider->get($configuration, $repository)->willReturn($resource);
 
+        $resource->getId()->willReturn('1');
+
         $configuration->isHtmlRequest()->willReturn(true);
 
         $eventDispatcher->dispatchPreEvent(ResourceActions::UPDATE, $configuration, $resource)->willReturn($event);
@@ -2129,10 +2149,11 @@ function it_uses_response_from_post_apply_state_machine_transition_event_if_defi
         RepositoryInterface $repository,
         ObjectManager $manager,
         SingleResourceProviderInterface $singleResourceProvider,
-        RedirectHandlerInterface $redirectHandler,
         FlashHelperInterface $flashHelper,
         AuthorizationCheckerInterface $authorizationChecker,
         EventDispatcherInterface $eventDispatcher,
+        CsrfTokenManagerInterface $csrfTokenManager,
+        ContainerInterface $container,
         StateMachineInterface $stateMachine,
         ResourceUpdateHandlerInterface $resourceUpdateHandler,
         RequestConfiguration $configuration,
@@ -2148,10 +2169,18 @@ function it_uses_response_from_post_apply_state_machine_transition_event_if_defi
         $requestConfigurationFactory->create($metadata, $request)->willReturn($configuration);
         $configuration->hasPermission()->willReturn(true);
         $configuration->getPermission(ResourceActions::UPDATE)->willReturn('sylius.product.update');
+        $configuration->isCsrfProtectionEnabled()->willReturn(true);
+        $request->get('_csrf_token')->willReturn('xyz');
+
+        $container->has('security.csrf.token_manager')->willReturn(true);
+        $container->get('security.csrf.token_manager')->willReturn($csrfTokenManager);
+        $csrfTokenManager->isTokenValid(new CsrfToken('1', 'xyz'))->willReturn(true);
 
         $authorizationChecker->isGranted($configuration, 'sylius.product.update')->willReturn(true);
         $singleResourceProvider->get($configuration, $repository)->willReturn($resource);
 
+        $resource->getId()->willReturn('1');
+
         $configuration->isHtmlRequest()->willReturn(true);
 
         $eventDispatcher->dispatchPreEvent(ResourceActions::UPDATE, $configuration, $resource)->willReturn($event);
@@ -2183,6 +2212,8 @@ function it_does_not_apply_state_machine_transition_on_resource_and_redirects_fo
         RedirectHandlerInterface $redirectHandler,
         FlashHelperInterface $flashHelper,
         EventDispatcherInterface $eventDispatcher,
+        CsrfTokenManagerInterface $csrfTokenManager,
+        ContainerInterface $container,
         ResourceControllerEvent $event,
         Request $request,
         Response $redirectResponse
@@ -2193,10 +2224,18 @@ function it_does_not_apply_state_machine_transition_on_resource_and_redirects_fo
         $requestConfigurationFactory->create($metadata, $request)->willReturn($configuration);
         $configuration->hasPermission()->willReturn(true);
         $configuration->getPermission(ResourceActions::UPDATE)->willReturn('sylius.product.update');
+        $configuration->isCsrfProtectionEnabled()->willReturn(true);
+        $request->get('_csrf_token')->willReturn('xyz');
+
+        $container->has('security.csrf.token_manager')->willReturn(true);
+        $container->get('security.csrf.token_manager')->willReturn($csrfTokenManager);
+        $csrfTokenManager->isTokenValid(new CsrfToken('1', 'xyz'))->willReturn(true);
 
         $authorizationChecker->isGranted($configuration, 'sylius.product.update')->willReturn(true);
         $singleResourceProvider->get($configuration, $repository)->willReturn($resource);
 
+        $resource->getId()->willReturn('1');
+
         $configuration->isHtmlRequest()->willReturn(true);
 
         $eventDispatcher->dispatchPreEvent(ResourceActions::UPDATE, $configuration, $resource)->willReturn($event);
@@ -2228,6 +2267,8 @@ function it_does_not_apply_state_machine_transition_on_resource_and_return_event
         ResourceInterface $resource,
         FlashHelperInterface $flashHelper,
         EventDispatcherInterface $eventDispatcher,
+        CsrfTokenManagerInterface $csrfTokenManager,
+        ContainerInterface $container,
         ResourceControllerEvent $event,
         Request $request,
         Response $response
@@ -2238,10 +2279,18 @@ function it_does_not_apply_state_machine_transition_on_resource_and_return_event
         $requestConfigurationFactory->create($metadata, $request)->willReturn($configuration);
         $configuration->hasPermission()->willReturn(true);
         $configuration->getPermission(ResourceActions::UPDATE)->willReturn('sylius.product.update');
+        $configuration->isCsrfProtectionEnabled()->willReturn(true);
+        $request->get('_csrf_token')->willReturn('xyz');
+
+        $container->has('security.csrf.token_manager')->willReturn(true);
+        $container->get('security.csrf.token_manager')->willReturn($csrfTokenManager);
+        $csrfTokenManager->isTokenValid(new CsrfToken('1', 'xyz'))->willReturn(true);
 
         $authorizationChecker->isGranted($configuration, 'sylius.product.update')->willReturn(true);
         $singleResourceProvider->get($configuration, $repository)->willReturn($resource);
 
+        $resource->getId()->willReturn('1');
+
         $configuration->isHtmlRequest()->willReturn(true);
 
         $eventDispatcher->dispatchPreEvent(ResourceActions::UPDATE, $configuration, $resource)->willReturn($event);
@@ -2286,6 +2335,7 @@ function it_applies_state_machine_transition_on_resource_and_returns_200_for_non
         $configuration->getParameters()->willReturn($parameterBag);
         $configuration->hasPermission()->willReturn(true);
         $configuration->getPermission(ResourceActions::UPDATE)->willReturn('sylius.product.update');
+        $configuration->isCsrfProtectionEnabled()->willReturn(false);
 
         $parameterBag->get('return_content', true)->willReturn(true);
 
@@ -2334,6 +2384,7 @@ function it_applies_state_machine_transition_on_resource_and_returns_204_for_non
         $configuration->getParameters()->willReturn($parameterBag);
         $configuration->hasPermission()->willReturn(true);
         $configuration->getPermission(ResourceActions::UPDATE)->willReturn('sylius.product.update');
+        $configuration->isCsrfProtectionEnabled()->willReturn(false);
 
         $parameterBag->get('return_content', true)->willReturn(false);
 
@@ -2378,6 +2429,7 @@ function it_does_not_apply_state_machine_transition_resource_and_throws_http_exc
         $requestConfigurationFactory->create($metadata, $request)->willReturn($configuration);
         $configuration->hasPermission()->willReturn(true);
         $configuration->getPermission(ResourceActions::UPDATE)->willReturn('sylius.product.update');
+        $configuration->isCsrfProtectionEnabled()->willReturn(false);
 
         $authorizationChecker->isGranted($configuration, 'sylius.product.update')->willReturn(true);
         $singleResourceProvider->get($configuration, $repository)->willReturn($resource);