public function CSRFAccessCheck::access in Zircon Profile 8
Same name in this branch
- 8 core/lib/Drupal/Core/Access/CsrfAccessCheck.php \Drupal\Core\Access\CsrfAccessCheck::access()
- 8 core/modules/rest/src/Access/CSRFAccessCheck.php \Drupal\rest\Access\CSRFAccessCheck::access()
Same name and namespace in other branches
- 8.0 core/modules/rest/src/Access/CSRFAccessCheck.php \Drupal\rest\Access\CSRFAccessCheck::access()
Checks access.
Parameters
\Symfony\Component\HttpFoundation\Request $request: The request object.
\Drupal\Core\Session\AccountInterface $account: The currently logged in account.
Return value
\Drupal\Core\Access\AccessResultInterface The access result.
File
- core/
modules/ rest/ src/ Access/ CSRFAccessCheck.php, line 73 - Contains \Drupal\rest\Access\CSRFAccessCheck.
Class
- CSRFAccessCheck
- Access protection against CSRF attacks.
Namespace
Drupal\rest\AccessCode
public function access(Request $request, AccountInterface $account) {
$method = $request
->getMethod();
// This check only applies if
// 1. this is a write operation
// 2. the user was successfully authenticated and
// 3. the request comes with a session cookie.
if (!in_array($method, array(
'GET',
'HEAD',
'OPTIONS',
'TRACE',
)) && $account
->isAuthenticated() && $this->sessionConfiguration
->hasSession($request)) {
$csrf_token = $request->headers
->get('X-CSRF-Token');
if (!\Drupal::csrfToken()
->validate($csrf_token, 'rest')) {
return AccessResult::forbidden()
->setCacheMaxAge(0);
}
}
// Let other access checkers decide if the request is legit.
return AccessResult::allowed()
->setCacheMaxAge(0);
}