Issue #3423454 by scott_euser, smustgrave: Form Builder does not fully allow Ajax GET requests

(cherry picked from commit 09ade8fa41)
2024-02-26 10:47:20 +00:00 · 2024-02-26 10:47:20 +00:00 · 1b4b5e52a6
parent 9e37787101
commit 1b4b5e52a6
2 changed files with 27 additions and 3 deletions
--- a/core/lib/Drupal/Core/Form/FormBuilder.php
+++ b/core/lib/Drupal/Core/Form/FormBuilder.php
@ -327,7 +327,7 @@ class FormBuilder implements FormBuilderInterface, FormValidatorInterface, FormS
    // In case the post request exceeds the configured allowed size
    // (post_max_size), the post request is potentially broken. Add some
    // protection against that and at the same time have a nice error message.
-    if ($ajax_form_request && !$request->request->has('form_id')) {
+    if ($ajax_form_request && !$request->get('form_id')) {
      throw new BrokenPostRequestException($this->getFileUploadMaxSize());
    }

@ -340,7 +340,7 @@ class FormBuilder implements FormBuilderInterface, FormValidatorInterface, FormS
    // build a proper AJAX response.
    // Only do this when the form ID matches, since there is no guarantee from
    // $ajax_form_request that it's an AJAX request for this particular form.
-    if ($ajax_form_request && $form_state->isProcessingInput() && $request->request->get('form_id') == $form_id) {
+    if ($ajax_form_request && $form_state->isProcessingInput() && $request->get('form_id') == $form_id) {
      throw new FormAjaxException($form, $form_state);
    }

--- a/core/tests/Drupal/Tests/Core/Form/FormBuilderTest.php
+++ b/core/tests/Drupal/Tests/Core/Form/FormBuilderTest.php
@ -595,7 +595,7 @@ class FormBuilderTest extends FormTestBase {
  /**
   * @covers ::buildForm
   */
-  public function testGetPostAjaxRequest() {
+  public function testPostAjaxRequest(): void {
    $request = new Request([FormBuilderInterface::AJAX_FORM_REQUEST => TRUE], ['form_id' => 'different_form_id']);
    $request->setMethod('POST');
    $this->requestStack->push($request);
@ -615,6 +615,30 @@ class FormBuilderTest extends FormTestBase {
    $this->assertSame('test-form', $form['#id']);
  }

+  /**
+   * @covers ::buildForm
+   */
+  public function testGetAjaxRequest(): void {
+    $request = new Request([FormBuilderInterface::AJAX_FORM_REQUEST => TRUE]);
+    $request->query->set('form_id', 'different_form_id');
+    $request->setMethod('GET');
+    $this->requestStack->push($request);
+
+    $form_state = (new FormState())
+      ->setUserInput([FormBuilderInterface::AJAX_FORM_REQUEST => TRUE])
+      ->setMethod('get')
+      ->setAlwaysProcess()
+      ->disableRedirect()
+      ->set('ajax', TRUE);
+
+    $form_id = '\Drupal\Tests\Core\Form\TestForm';
+    $expected_form = (new TestForm())->buildForm([], $form_state);
+
+    $form = $this->formBuilder->buildForm($form_id, $form_state);
+    $this->assertFormElement($expected_form, $form, 'test');
+    $this->assertSame('test-form', $form['#id']);
+  }
+
  /**
   * @covers ::buildForm
   *