You are here

Home » API reference » Drupal 10 » MediaFilterController.php » MediaFilterController

private static function MediaFilterController::checkCsrf in Drupal 10

Throws an AccessDeniedHttpException if the request fails CSRF validation.

This is used instead of \Drupal\Core\Access\CsrfAccessCheck, in order to allow access for anonymous users.

@todo Refactor this to an access checker.

1 call to MediaFilterController::checkCsrf()
MediaFilterController::preview in core/modules/media/src/Controller/MediaFilterController.php
Returns a HTML response containing a preview of the text after filtering.

File

core/modules/media/src/Controller/MediaFilterController.php, line 155

Class

MediaFilterController
Controller which renders a preview of the provided text.

Namespace

Drupal\media\Controller

Code

private static function checkCsrf(Request $request, AccountInterface $account) {
  $header = 'X-Drupal-MediaPreview-CSRF-Token';
  if (!$request->headers
    ->has($header)) {
    throw new AccessDeniedHttpException();
  }
  if ($account
    ->isAnonymous()) {

    // For anonymous users, just the presence of the custom header is
    // sufficient protection.
    return;
  }

  // For authenticated users, validate the token value.
  $token = $request->headers
    ->get($header);
  if (!\Drupal::csrfToken()
    ->validate($token, $header)) {
    throw new AccessDeniedHttpException();
  }
}