class RouteProcessorCsrf in Drupal 9
Same name and namespace in other branches
- 8 core/lib/Drupal/Core/Access/RouteProcessorCsrf.php \Drupal\Core\Access\RouteProcessorCsrf
Processes the outbound route to handle the CSRF token.
Hierarchy
- class \Drupal\Core\Access\RouteProcessorCsrf implements OutboundRouteProcessorInterface, TrustedCallbackInterface
Expanded class hierarchy of RouteProcessorCsrf
1 file declares its use of RouteProcessorCsrf
- RouteProcessorCsrfTest.php in core/
tests/ Drupal/ Tests/ Core/ Access/ RouteProcessorCsrfTest.php
1 string reference to 'RouteProcessorCsrf'
- core.services.yml in core/
core.services.yml - core/core.services.yml
1 service uses RouteProcessorCsrf
File
- core/
lib/ Drupal/ Core/ Access/ RouteProcessorCsrf.php, line 14
Namespace
Drupal\Core\AccessView source
class RouteProcessorCsrf implements OutboundRouteProcessorInterface, TrustedCallbackInterface {
/**
* The CSRF token generator.
*
* @var \Drupal\Core\Access\CsrfTokenGenerator
*/
protected $csrfToken;
/**
* Constructs a RouteProcessorCsrf object.
*
* @param \Drupal\Core\Access\CsrfTokenGenerator $csrf_token
* The CSRF token generator.
*/
public function __construct(CsrfTokenGenerator $csrf_token) {
$this->csrfToken = $csrf_token;
}
/**
* {@inheritdoc}
*/
public function processOutbound($route_name, Route $route, array &$parameters, BubbleableMetadata $bubbleable_metadata = NULL) {
if ($route
->hasRequirement('_csrf_token')) {
$path = ltrim($route
->getPath(), '/');
// Replace the path parameters with values from the parameters array.
foreach ($parameters as $param => $value) {
$path = str_replace("{{$param}}", $value, $path);
}
// Adding this to the parameters means it will get merged into the query
// string when the route is compiled.
if (!$bubbleable_metadata) {
$parameters['token'] = $this->csrfToken
->get($path);
}
else {
// Generate a placeholder and a render array to replace it.
$placeholder = Crypt::hashBase64($path);
$placeholder_render_array = [
'#lazy_builder' => [
'route_processor_csrf:renderPlaceholderCsrfToken',
[
$path,
],
],
];
// Instead of setting an actual CSRF token as the query string, we set
// the placeholder, which will be replaced at the very last moment. This
// ensures links with CSRF tokens don't break cacheability.
$parameters['token'] = $placeholder;
$bubbleable_metadata
->addAttachments([
'placeholders' => [
$placeholder => $placeholder_render_array,
],
]);
}
}
}
/**
* #lazy_builder callback; gets a CSRF token for the given path.
*
* @param string $path
* The path to get a CSRF token for.
*
* @return array
* A renderable array representing the CSRF token.
*/
public function renderPlaceholderCsrfToken($path) {
return [
'#markup' => $this->csrfToken
->get($path),
// Tokens are per session.
'#cache' => [
'contexts' => [
'session',
],
],
];
}
/**
* {@inheritdoc}
*/
public static function trustedCallbacks() {
return [
'renderPlaceholderCsrfToken',
];
}
}Members
Name |
Modifiers | Type | Description | Overrides |
|---|---|---|---|---|
|
RouteProcessorCsrf:: |
protected | property | The CSRF token generator. | |
|
RouteProcessorCsrf:: |
public | function |
Processes the outbound route. Overrides OutboundRouteProcessorInterface:: |
|
|
RouteProcessorCsrf:: |
public | function | #lazy_builder callback; gets a CSRF token for the given path. | |
|
RouteProcessorCsrf:: |
public static | function |
Lists the trusted callbacks provided by the implementing class. Overrides TrustedCallbackInterface:: |
|
|
RouteProcessorCsrf:: |
public | function | Constructs a RouteProcessorCsrf object. | |
|
TrustedCallbackInterface:: |
constant | Untrusted callbacks throw exceptions. | ||
|
TrustedCallbackInterface:: |
constant | Untrusted callbacks trigger silenced E_USER_DEPRECATION errors. | ||
|
TrustedCallbackInterface:: |
constant | Untrusted callbacks trigger E_USER_WARNING errors. |