public function RouteProcessorCsrf::processOutbound in Drupal 10
Same name and namespace in other branches
- 8 core/lib/Drupal/Core/Access/RouteProcessorCsrf.php \Drupal\Core\Access\RouteProcessorCsrf::processOutbound()
- 9 core/lib/Drupal/Core/Access/RouteProcessorCsrf.php \Drupal\Core\Access\RouteProcessorCsrf::processOutbound()
File
- core/
lib/ Drupal/ Core/ Access/ RouteProcessorCsrf.php, line 36
Class
- RouteProcessorCsrf
- Processes the outbound route to handle the CSRF token.
Namespace
Drupal\Core\AccessCode
public function processOutbound($route_name, Route $route, array &$parameters, BubbleableMetadata $bubbleable_metadata = NULL) {
if ($route
->hasRequirement('_csrf_token')) {
$path = ltrim($route
->getPath(), '/');
// Replace the path parameters with values from the parameters array.
foreach ($parameters as $param => $value) {
$path = str_replace("{{$param}}", $value, $path);
}
// Adding this to the parameters means it will get merged into the query
// string when the route is compiled.
if (!$bubbleable_metadata) {
$parameters['token'] = $this->csrfToken
->get($path);
}
else {
// Generate a placeholder and a render array to replace it.
$placeholder = Crypt::hashBase64($path);
$placeholder_render_array = [
'#lazy_builder' => [
'route_processor_csrf:renderPlaceholderCsrfToken',
[
$path,
],
],
];
// Instead of setting an actual CSRF token as the query string, we set
// the placeholder, which will be replaced at the very last moment. This
// ensures links with CSRF tokens don't break cacheability.
$parameters['token'] = $placeholder;
$bubbleable_metadata
->addAttachments([
'placeholders' => [
$placeholder => $placeholder_render_array,
],
]);
}
}
}