Same name and namespace in other branches
  1. 8.9.x core/lib/Drupal/Core/Access/CsrfAccessCheck.php \Drupal\Core\Access\CsrfAccessCheck
  2. 9 core/lib/Drupal/Core/Access/CsrfAccessCheck.php \Drupal\Core\Access\CsrfAccessCheck

Access protection against CSRF attacks.

The CsrfAccessCheck is added to any route with the '_csrf_token' route requirement. If a link/url to a protected route is generated using the url_generator service, a valid token will be added automatically. Otherwise, a valid token can be generated by the csrf_token service using the route's path (without leading slash) as the argument when generating the token. This token can then be added as the 'token' query parameter when accessing the protected route.

Hierarchy

Expanded class hierarchy of CsrfAccessCheck

See also

\Drupal\Core\Access\RouteProcessorCsrf

\Drupal\Core\Access\CsrfTokenGenerator

https://www.drupal.org/docs/8/api/routing-system/access-checking-on-rout...

1 file declares its use of CsrfAccessCheck
CsrfAccessCheckTest.php in core/tests/Drupal/Tests/Core/Access/CsrfAccessCheckTest.php
1 string reference to 'CsrfAccessCheck'
core.services.yml in core/core.services.yml
core/core.services.yml
1 service uses CsrfAccessCheck
access_check.csrf in core/core.services.yml
Drupal\Core\Access\CsrfAccessCheck

File

core/lib/Drupal/Core/Access/CsrfAccessCheck.php, line 25

Namespace

Drupal\Core\Access
View source
class CsrfAccessCheck implements RoutingAccessInterface {

  /**
   * The CSRF token generator.
   *
   * @var \Drupal\Core\Access\CsrfTokenGenerator
   */
  protected $csrfToken;

  /**
   * Constructs a CsrfAccessCheck object.
   *
   * @param \Drupal\Core\Access\CsrfTokenGenerator $csrf_token
   *   The CSRF token generator.
   */
  public function __construct(CsrfTokenGenerator $csrf_token) {
    $this->csrfToken = $csrf_token;
  }

  /**
   * Checks access based on a CSRF token for the request.
   *
   * @param \Symfony\Component\Routing\Route $route
   *   The route to check against.
   * @param \Symfony\Component\HttpFoundation\Request $request
   *   The request object.
   * @param \Drupal\Core\Routing\RouteMatchInterface $route_match
   *   The route match object.
   *
   * @return \Drupal\Core\Access\AccessResultInterface
   *   The access result.
   */
  public function access(Route $route, Request $request, RouteMatchInterface $route_match) {
    $parameters = $route_match
      ->getRawParameters();
    $path = ltrim($route
      ->getPath(), '/');

    // Replace the path parameters with values from the parameters array.
    foreach ($parameters as $param => $value) {
      $path = str_replace("{{$param}}", $value, $path);
    }
    if ($this->csrfToken
      ->validate($request->query
      ->get('token', ''), $path)) {
      $result = AccessResult::allowed();
    }
    else {
      $result = AccessResult::forbidden($request->query
        ->has('token') ? "'csrf_token' URL query argument is invalid." : "'csrf_token' URL query argument is missing.");
    }

    // Not cacheable because the CSRF token is highly dynamic.
    return $result
      ->setCacheMaxAge(0);
  }

}

Members

Namesort descending Modifiers Type Description Overrides
CsrfAccessCheck::$csrfToken protected property The CSRF token generator.
CsrfAccessCheck::access public function Checks access based on a CSRF token for the request.
CsrfAccessCheck::__construct public function Constructs a CsrfAccessCheck object.