class CsrfAccessCheck in Drupal 9
Same name and namespace in other branches
- 8 core/lib/Drupal/Core/Access/CsrfAccessCheck.php \Drupal\Core\Access\CsrfAccessCheck
Allows access to routes to be controlled by a '_csrf_token' parameter.
To use this check, add a "token" GET parameter to URLs of which the value is a token generated by \Drupal::csrfToken()->get() using the same value as the "_csrf_token" parameter in the route.
Hierarchy
- class \Drupal\Core\Access\CsrfAccessCheck implements AccessInterface
Expanded class hierarchy of CsrfAccessCheck
1 file declares its use of CsrfAccessCheck
- CsrfAccessCheckTest.php in core/
tests/ Drupal/ Tests/ Core/ Access/ CsrfAccessCheckTest.php
1 string reference to 'CsrfAccessCheck'
- core.services.yml in core/
core.services.yml - core/core.services.yml
1 service uses CsrfAccessCheck
File
- core/
lib/ Drupal/ Core/ Access/ CsrfAccessCheck.php, line 17
Namespace
Drupal\Core\AccessView source
class CsrfAccessCheck implements RoutingAccessInterface {
/**
* The CSRF token generator.
*
* @var \Drupal\Core\Access\CsrfTokenGenerator
*/
protected $csrfToken;
/**
* Constructs a CsrfAccessCheck object.
*
* @param \Drupal\Core\Access\CsrfTokenGenerator $csrf_token
* The CSRF token generator.
*/
public function __construct(CsrfTokenGenerator $csrf_token) {
$this->csrfToken = $csrf_token;
}
/**
* Checks access based on a CSRF token for the request.
*
* @param \Symfony\Component\Routing\Route $route
* The route to check against.
* @param \Symfony\Component\HttpFoundation\Request $request
* The request object.
* @param \Drupal\Core\Routing\RouteMatchInterface $route_match
* The route match object.
*
* @return \Drupal\Core\Access\AccessResultInterface
* The access result.
*/
public function access(Route $route, Request $request, RouteMatchInterface $route_match) {
$parameters = $route_match
->getRawParameters();
$path = ltrim($route
->getPath(), '/');
// Replace the path parameters with values from the parameters array.
foreach ($parameters as $param => $value) {
$path = str_replace("{{$param}}", $value, $path);
}
if ($this->csrfToken
->validate($request->query
->get('token', ''), $path)) {
$result = AccessResult::allowed();
}
else {
$result = AccessResult::forbidden($request->query
->has('token') ? "'csrf_token' URL query argument is invalid." : "'csrf_token' URL query argument is missing.");
}
// Not cacheable because the CSRF token is highly dynamic.
return $result
->setCacheMaxAge(0);
}
}
Members
Name | Modifiers | Type | Description | Overrides |
---|---|---|---|---|
CsrfAccessCheck:: |
protected | property | The CSRF token generator. | |
CsrfAccessCheck:: |
public | function | Checks access based on a CSRF token for the request. | |
CsrfAccessCheck:: |
public | function | Constructs a CsrfAccessCheck object. |