class CsrfAccessCheck

Same name and namespace in other branches

9 core/lib/Drupal/Core/Access/CsrfAccessCheck.php \Drupal\Core\Access\CsrfAccessCheck
8.9.x core/lib/Drupal/Core/Access/CsrfAccessCheck.php \Drupal\Core\Access\CsrfAccessCheck
10 core/lib/Drupal/Core/Access/CsrfAccessCheck.php \Drupal\Core\Access\CsrfAccessCheck

Access protection against CSRF attacks.

The CsrfAccessCheck is added to any route with the '_csrf_token' route requirement. If a link/url to a protected route is generated using the url_generator service, a valid token will be added automatically. Otherwise, a valid token can be generated by the csrf_token service using the route's path (without leading slash) as the argument when generating the token. This token can then be added as the 'token' query parameter when accessing the protected route.

Hierarchy

class \Drupal\Core\Access\CsrfAccessCheck implements \Drupal\Core\Routing\Access\AccessInterface

Expanded class hierarchy of CsrfAccessCheck

File

core/lib/Drupal/Core/Access/CsrfAccessCheck.php, line 25

Namespace

Drupal\Core\Access

View source

class CsrfAccessCheck implements RoutingAccessInterface {
    
    /**
     * The CSRF token generator.
     *
     * @var \Drupal\Core\Access\CsrfTokenGenerator
     */
    protected $csrfToken;
    
    /**
     * Constructs a CsrfAccessCheck object.
     *
     * @param \Drupal\Core\Access\CsrfTokenGenerator $csrf_token
     *   The CSRF token generator.
     */
    public function __construct(CsrfTokenGenerator $csrf_token) {
        $this->csrfToken = $csrf_token;
    }
    
    /**
     * Checks access based on a CSRF token for the request.
     *
     * @param \Symfony\Component\Routing\Route $route
     *   The route to check against.
     * @param \Symfony\Component\HttpFoundation\Request $request
     *   The request object.
     * @param \Drupal\Core\Routing\RouteMatchInterface $route_match
     *   The route match object.
     *
     * @return \Drupal\Core\Access\AccessResultInterface
     *   The access result.
     */
    public function access(Route $route, Request $request, RouteMatchInterface $route_match) {
        $parameters = $route_match->getRawParameters();
        $path = ltrim($route->getPath(), '/');
        // Replace the path parameters with values from the parameters array.
        foreach ($parameters as $param => $value) {
            $path = str_replace("{{$param}}", $value, $path);
        }
        if ($this->csrfToken
            ->validate($request->query
            ->get('token', ''), $path)) {
            $result = AccessResult::allowed();
        }
        else {
            $result = AccessResult::forbidden($request->query
                ->has('token') ? "'csrf_token' URL query argument is invalid." : "'csrf_token' URL query argument is missing.");
        }
        // Not cacheable because the CSRF token is highly dynamic.
        return $result->setCacheMaxAge(0);
    }

}

Members

Title Sort descending	Modifiers	Object type	Summary
CsrfAccessCheck::$csrfToken	protected	property	The CSRF token generator.
CsrfAccessCheck::access	public	function	Checks access based on a CSRF token for the request.
CsrfAccessCheck::__construct	public	function	Constructs a CsrfAccessCheck object.

Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.

class CsrfAccessCheck

Hierarchy

See also

File

Namespace

Members

Search drupal 11.x

API Navigation

Breadcrumb

class CsrfAccessCheck

Hierarchy

See also

File

Namespace

Members

Search drupal 11.x

API Navigation