You are here

public function CSRFAccessCheck::applies in Zircon Profile 8.0

Same name and namespace in other branches
  1. 8 core/modules/rest/src/Access/CSRFAccessCheck.php \Drupal\rest\Access\CSRFAccessCheck::applies()

Declares whether the access check applies to a specific route or not.

Parameters

\Symfony\Component\Routing\Route $route: The route to consider attaching to.

Return value

array An array of route requirement keys this access checker applies to.

Overrides AccessCheckInterface::applies

File

core/modules/rest/src/Access/CSRFAccessCheck.php, line 42
Contains \Drupal\rest\Access\CSRFAccessCheck.

Class

CSRFAccessCheck
Access protection against CSRF attacks.

Namespace

Drupal\rest\Access

Code

public function applies(Route $route) {
  $requirements = $route
    ->getRequirements();
  if (array_key_exists('_access_rest_csrf', $requirements)) {
    if (isset($requirements['_method'])) {

      // There could be more than one method requirement separated with '|'.
      $methods = explode('|', $requirements['_method']);

      // CSRF protection only applies to write operations, so we can filter
      // out any routes that require reading methods only.
      $write_methods = array_diff($methods, array(
        'GET',
        'HEAD',
        'OPTIONS',
        'TRACE',
      ));
      if (empty($write_methods)) {
        return FALSE;
      }
    }

    // No method requirement given, so we run this access check to be on the
    // safe side.
    return TRUE;
  }
}