You are here

Home » API reference » Drupal 8 » CsrfRequestHeaderAccessCheck.php » CsrfRequestHeaderAccessCheck

public function CsrfRequestHeaderAccessCheck::applies in Drupal 8

Same name and namespace in other branches
  1. 9 core/lib/Drupal/Core/Access/CsrfRequestHeaderAccessCheck.php \Drupal\Core\Access\CsrfRequestHeaderAccessCheck::applies()
  2. 10 core/lib/Drupal/Core/Access/CsrfRequestHeaderAccessCheck.php \Drupal\Core\Access\CsrfRequestHeaderAccessCheck::applies()

Declares whether the access check applies to a specific route or not.

Parameters

\Symfony\Component\Routing\Route $route: The route to consider attaching to.

Return value

bool TRUE if this access checker applies to this route.

Overrides AccessCheckInterface::applies

File

core/lib/Drupal/Core/Access/CsrfRequestHeaderAccessCheck.php, line 50

Class

CsrfRequestHeaderAccessCheck
Access protection against CSRF attacks.

Namespace

Drupal\Core\Access

Code

public function applies(Route $route) {
  $requirements = $route
    ->getRequirements();

  // Check for current requirement _csrf_request_header_token and deprecated
  // REST requirement.
  $applicable_requirements = [
    '_csrf_request_header_token',
    // @todo Remove _access_rest_csrf in Drupal 10.0.0 https://www.drupal.org/node/3115308
    '_access_rest_csrf',
  ];
  if ($route
    ->hasRequirement('_access_rest_csrf')) {
    @trigger_error('Route requirement _access_rest_csrf is deprecated in drupal:8.2.0 and is removed in drupal:10.0.0. Use _csrf_request_header_token instead. See https://www.drupal.org/node/2772399', E_USER_DEPRECATED);
  }
  $requirement_keys = array_keys($requirements);
  if (array_intersect($applicable_requirements, $requirement_keys)) {
    if (isset($requirements['_method'])) {

      // There could be more than one method requirement separated with '|'.
      $methods = explode('|', $requirements['_method']);

      // CSRF protection only applies to write operations, so we can filter
      // out any routes that require reading methods only.
      $write_methods = array_diff($methods, [
        'GET',
        'HEAD',
        'OPTIONS',
        'TRACE',
      ]);
      if (empty($write_methods)) {
        return FALSE;
      }
    }

    // No method requirement given, so we run this access check to be on the
    // safe side.
    return TRUE;
  }
}