public function postRequestOnRestrictedActionWithoutCsrfTokenCausesAccessDeniedException() { $this->markTestIncomplete('Needs to be implemented'); $arguments = []; $arguments['__authentication']['TYPO3']['Flow']['Security']['Authentication']['Token']['UsernamePassword']['username'] = 'admin'; $arguments['__authentication']['TYPO3']['Flow']['Security']['Authentication']['Token']['UsernamePassword']['password'] = 'password'; $request = Request::create(new Uri('http://localhost/test/security/authentication/usernamepassword/authenticate'), 'POST', $arguments); $response = $this->browser->sendRequest($request); $sessionCookie = $response->getCookie('TYPO3_Flow_Session'); $request = Request::create(new Uri('http://localhost/test/security/restricted/admin')); $request->setCookie($sessionCookie); $response = $this->browser->sendRequest($request); // Expect an exception because no account is authenticated: $response = $this->browser->request(new Uri('http://localhost/test/security/restricted/customer'), 'POST'); // ... // Expect an different exception because although an account is authenticated, the request lacks a CSRF token: $response = $this->browser->request(new Uri('http://localhost/test/security/restricted/customer'), 'POST', $arguments); // ... // Expect that it works after you logged in $csrfToken = $this->securityContext->getCsrfProtectionToken(); $request = Request::create(new Uri('http://localhost/test/security/restricted/customer'), 'POST'); // ... }