private static function MediaFilterController::checkCsrf in Drupal 10
Throws an AccessDeniedHttpException if the request fails CSRF validation.
This is used instead of \Drupal\Core\Access\CsrfAccessCheck, in order to allow access for anonymous users.
@todo Refactor this to an access checker.
1 call to MediaFilterController::checkCsrf()
- MediaFilterController::preview in core/
modules/ media/ src/ Controller/ MediaFilterController.php - Returns a HTML response containing a preview of the text after filtering.
File
- core/
modules/ media/ src/ Controller/ MediaFilterController.php, line 155
Class
- MediaFilterController
- Controller which renders a preview of the provided text.
Namespace
Drupal\media\ControllerCode
private static function checkCsrf(Request $request, AccountInterface $account) {
$header = 'X-Drupal-MediaPreview-CSRF-Token';
if (!$request->headers
->has($header)) {
throw new AccessDeniedHttpException();
}
if ($account
->isAnonymous()) {
// For anonymous users, just the presence of the custom header is
// sufficient protection.
return;
}
// For authenticated users, validate the token value.
$token = $request->headers
->get($header);
if (!\Drupal::csrfToken()
->validate($token, $header)) {
throw new AccessDeniedHttpException();
}
}