class CSRFTokenAccessCheck in Services 9.0.x
Same name and namespace in other branches
- 8.4 src/Access/CSRFTokenAccessCheck.php \Drupal\services\Access\CSRFTokenAccessCheck
Class \Drupal\services\Access\CSRFTokenAccessCheck.
Hierarchy
- class \Drupal\services\Access\CSRFTokenAccessCheck implements AccessCheckInterface
Expanded class hierarchy of CSRFTokenAccessCheck
1 string reference to 'CSRFTokenAccessCheck'
1 service uses CSRFTokenAccessCheck
File
- src/
Access/ CSRFTokenAccessCheck.php, line 15
Namespace
Drupal\services\AccessView source
class CSRFTokenAccessCheck implements AccessCheckInterface {
/**
* The session configuration.
*
* @var \Drupal\Core\Session\SessionConfigurationInterface
*/
protected $sessionConfiguration;
/**
* Constructor for \Drupal\services\Access\CSRFTokenAccessCheck.
*/
public function __construct(SessionConfigurationInterface $session_configuration) {
$this->sessionConfiguration = $session_configuration;
}
/**
* {@inheritdoc}
*/
public function applies(Route $route) {
$requirements = $route
->getRequirements();
if (!isset($requirements['_check_services_csrf'])) {
return FALSE;
}
return $this
->hasRestrictedMethod($route
->getMethods());
}
/**
* {@inheritdoc}
*/
public function access(Request $request, AccountInterface $account) {
if ($account
->isAuthenticated() && in_array($request
->getMethod(), $this
->restrictedMethods()) && $this->sessionConfiguration
->hasSession($request)) {
$csrf_token = $request->headers
->get('X-CSRF-Token');
if (!\Drupal::csrfToken()
->validate($csrf_token, 'services')) {
return AccessResult::forbidden('CSRF validation failed')
->setCacheMaxAge(0);
}
}
return AccessResult::allowed()
->setCacheMaxAge(0);
}
/**
* Define restricted methods that need a CSRF token.
*
* @return array
* An array of restricted methods.
*/
protected function restrictedMethods() {
return [
'PUT',
'POST',
];
}
/**
* Determine if the methods are restricted.
*
* @param array $methods
* An array of HTTP methods.
*
* @return bool
* Return TRUE if a restricted method was found; otherwise FALSE.
*/
protected function hasRestrictedMethod(array $methods) {
foreach ($methods as $method) {
if (in_array(strtoupper($method), $this
->restrictedMethods())) {
return TRUE;
}
}
return FALSE;
}
}
Members
Name![]() |
Modifiers | Type | Description | Overrides |
---|---|---|---|---|
CSRFTokenAccessCheck:: |
protected | property | The session configuration. | |
CSRFTokenAccessCheck:: |
public | function | ||
CSRFTokenAccessCheck:: |
public | function |
Declares whether the access check applies to a specific route or not. Overrides AccessCheckInterface:: |
|
CSRFTokenAccessCheck:: |
protected | function | Determine if the methods are restricted. | |
CSRFTokenAccessCheck:: |
protected | function | Define restricted methods that need a CSRF token. | |
CSRFTokenAccessCheck:: |
public | function | Constructor for \Drupal\services\Access\CSRFTokenAccessCheck. |