You are here

public function RouteProcessorCsrf::processOutbound in Drupal 10

Same name and namespace in other branches
  1. 8 core/lib/Drupal/Core/Access/RouteProcessorCsrf.php \Drupal\Core\Access\RouteProcessorCsrf::processOutbound()
  2. 9 core/lib/Drupal/Core/Access/RouteProcessorCsrf.php \Drupal\Core\Access\RouteProcessorCsrf::processOutbound()

File

core/lib/Drupal/Core/Access/RouteProcessorCsrf.php, line 36

Class

RouteProcessorCsrf
Processes the outbound route to handle the CSRF token.

Namespace

Drupal\Core\Access

Code

public function processOutbound($route_name, Route $route, array &$parameters, BubbleableMetadata $bubbleable_metadata = NULL) {
  if ($route
    ->hasRequirement('_csrf_token')) {
    $path = ltrim($route
      ->getPath(), '/');

    // Replace the path parameters with values from the parameters array.
    foreach ($parameters as $param => $value) {
      $path = str_replace("{{$param}}", $value, $path);
    }

    // Adding this to the parameters means it will get merged into the query
    // string when the route is compiled.
    if (!$bubbleable_metadata) {
      $parameters['token'] = $this->csrfToken
        ->get($path);
    }
    else {

      // Generate a placeholder and a render array to replace it.
      $placeholder = Crypt::hashBase64($path);
      $placeholder_render_array = [
        '#lazy_builder' => [
          'route_processor_csrf:renderPlaceholderCsrfToken',
          [
            $path,
          ],
        ],
      ];

      // Instead of setting an actual CSRF token as the query string, we set
      // the placeholder, which will be replaced at the very last moment. This
      // ensures links with CSRF tokens don't break cacheability.
      $parameters['token'] = $placeholder;
      $bubbleable_metadata
        ->addAttachments([
        'placeholders' => [
          $placeholder => $placeholder_render_array,
        ],
      ]);
    }
  }
}