Perform the least expensive validations first

Co-authored-by: Tim Düsterhus <duesterhus@woltlab.com>

diff --git a/wcfsetup/install/files/lib/http/middleware/Xsrf.class.php b/wcfsetup/install/files/lib/http/middleware/Xsrf.class.php
index 3e062e3e41d6298e69cbb65135c8c5f3feb501ba..c4813ce2a3ab597b0c04bbc2a21292798ee56731 100644 (file)
--- a/wcfsetup/install/files/lib/http/middleware/Xsrf.class.php
+++ b/wcfsetup/install/files/lib/http/middleware/Xsrf.class.php
@@ -71,6 +71,11 @@ final class Xsrf implements MiddlewareInterface
 
     private function assertHasValidXsrfToken(Request $request, bool $hasValidXsrfToken): void
     {
+        if ($hasValidXsrfToken) {
+            // No need to do anything for a valid token.
+            return;
+        }
+
         if (!\is_subclass_of($request->getClassName(), RequestHandlerInterface::class)) {
             // Skip the XSRF check for legacy controllers.
             return;
@@ -82,8 +87,8 @@ final class Xsrf implements MiddlewareInterface
             return;
         }
 
-        if (!$hasValidXsrfToken) {
-            throw new InvalidSecurityTokenException();
-        }
+        // The controller requires a valid XSRF Token and no valid
+        // token was provided, abort the processing.
+        throw new InvalidSecurityTokenException();
     }
 }