private static function QuickEditController::checkCsrf in Drupal 10

Throws an AccessDeniedHttpException if the request fails CSRF validation.

This is used instead of \Drupal\Core\Access\CsrfAccessCheck, in order to allow access for anonymous users.

@todo Refactor this to an access checker.

1 call to QuickEditController::checkCsrf()

QuickEditController::entitySave in core/modules/quickedit/src/QuickEditController.php: Saves an entity into the database, from PrivateTempStore.

File

core/modules/quickedit/src/QuickEditController.php, line 172

Class

QuickEditController: Returns responses for Quick Edit module routes.

Namespace

Drupal\quickedit

Code

private static function checkCsrf(Request $request, AccountInterface $account) {
  $header = 'X-Drupal-Quickedit-CSRF-Token';
  if (!$request->headers
    ->has($header)) {
    throw new AccessDeniedHttpException();
  }
  if ($account
    ->isAnonymous()) {

    // For anonymous users, just the presence of the custom header is
    // sufficient protection.
    return;
  }

  // For authenticated users, validate the token value.
  $token = $request->headers
    ->get($header);
  if (!\Drupal::csrfToken()
    ->validate($token, $header)) {
    throw new AccessDeniedHttpException();
  }
}

You are here

private static function QuickEditController::checkCsrf in Drupal 10

File

Class

Namespace

Code

API Navigation