class CsrfAccessCheck

Same name in other branches
  1. 9 core/lib/Drupal/Core/Access/CsrfAccessCheck.php \Drupal\Core\Access\CsrfAccessCheck
  2. 8.9.x core/lib/Drupal/Core/Access/CsrfAccessCheck.php \Drupal\Core\Access\CsrfAccessCheck
  3. 10 core/lib/Drupal/Core/Access/CsrfAccessCheck.php \Drupal\Core\Access\CsrfAccessCheck

Access protection against CSRF attacks.

The CsrfAccessCheck is added to any route with the '_csrf_token' route requirement. If a link/url to a protected route is generated using the url_generator service, a valid token will be added automatically. Otherwise, a valid token can be generated by the csrf_token service using the route's path (without leading slash) as the argument when generating the token. This token can then be added as the 'token' query parameter when accessing the protected route.

Hierarchy

Expanded class hierarchy of CsrfAccessCheck

See also

\Drupal\Core\Access\RouteProcessorCsrf

\Drupal\Core\Access\CsrfTokenGenerator

https://www.drupal.org/docs/8/api/routing-system/access-checking-on-rou…

2 files declare their use of CsrfAccessCheck
CsrfAccessCheckTest.php in core/tests/Drupal/Tests/Core/Access/CsrfAccessCheckTest.php
RoutePathGenerationTraitTest.php in core/tests/Drupal/Tests/Core/Access/RoutePathGenerationTraitTest.php

File

core/lib/Drupal/Core/Access/CsrfAccessCheck.php, line 25

Namespace

Drupal\Core\Access
View source 
class CsrfAccessCheck implements RoutingAccessInterface {
    use RoutePathGenerationTrait;
    
    /**
     * The CSRF token generator.
     */
    protected CsrfTokenGenerator $csrfToken;
    
    /**
     * Constructs a CsrfAccessCheck object.
     *
     * @param \Drupal\Core\Access\CsrfTokenGenerator $csrf_token
     *   The CSRF token generator.
     */
    public function __construct(CsrfTokenGenerator $csrf_token) {
        $this->csrfToken = $csrf_token;
    }
    
    /**
     * Checks access based on a CSRF token for the request.
     *
     * @param \Symfony\Component\Routing\Route $route
     *   The route to check against.
     * @param \Symfony\Component\HttpFoundation\Request $request
     *   The request object.
     * @param \Drupal\Core\Routing\RouteMatchInterface $route_match
     *   The route match object.
     *
     * @return \Drupal\Core\Access\AccessResultInterface
     *   The access result.
     */
    public function access(Route $route, Request $request, RouteMatchInterface $route_match) {
        $path = $this->generateRoutePath($route, $route_match->getRawParameters()
            ->all());
        if ($this->csrfToken
            ->validate($request->query
            ->get('token', ''), $path)) {
            $result = AccessResult::allowed();
        }
        else {
            $result = AccessResult::forbidden($request->query
                ->has('token') ? "'csrf_token' URL query argument is invalid." : "'csrf_token' URL query argument is missing.");
        }
        // Not cacheable because the CSRF token is highly dynamic.
        return $result->setCacheMaxAge(0);
    }

}

Members

Title Modifiers Object type Summary
CsrfAccessCheck::$csrfToken protected property The CSRF token generator.
CsrfAccessCheck::access public function Checks access based on a CSRF token for the request.
CsrfAccessCheck::__construct public function Constructs a CsrfAccessCheck object.
RoutePathGenerationTrait::generateRoutePath public function Generates a route path by replacing placeholders with their values.

Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.