Same filename and directory in other branches
- 8.9.x core/lib/Drupal/Core/Access/CsrfRequestHeaderAccessCheck.php
- 9 core/lib/Drupal/Core/Access/CsrfRequestHeaderAccessCheck.php
Namespace
Drupal\Core\Access
File
core/lib/Drupal/Core/Access/CsrfRequestHeaderAccessCheck.php
View source
<?php
namespace Drupal\Core\Access;
use Drupal\Core\Session\AccountInterface;
use Drupal\Core\Session\SessionConfigurationInterface;
use Symfony\Component\Routing\Route;
use Symfony\Component\HttpFoundation\Request;
class CsrfRequestHeaderAccessCheck implements AccessCheckInterface {
const TOKEN_KEY = 'X-CSRF-Token request header';
protected $sessionConfiguration;
protected $csrfToken;
public function __construct(SessionConfigurationInterface $session_configuration, CsrfTokenGenerator $csrf_token) {
$this->sessionConfiguration = $session_configuration;
$this->csrfToken = $csrf_token;
}
public function applies(Route $route) {
$requirements = $route
->getRequirements();
if (array_key_exists('_csrf_request_header_token', $requirements)) {
if (isset($requirements['_method'])) {
$methods = explode('|', $requirements['_method']);
$write_methods = array_diff($methods, [
'GET',
'HEAD',
'OPTIONS',
'TRACE',
]);
if (empty($write_methods)) {
return FALSE;
}
}
return TRUE;
}
}
public function access(Request $request, AccountInterface $account) {
$method = $request
->getMethod();
if (in_array($method, [
'GET',
'HEAD',
'OPTIONS',
'TRACE',
], TRUE)) {
return AccessResult::allowed();
}
if ($account
->isAuthenticated() && $this->sessionConfiguration
->hasSession($request)) {
if (!$request->headers
->has('X-CSRF-Token')) {
return AccessResult::forbidden()
->setReason('X-CSRF-Token request header is missing')
->setCacheMaxAge(0);
}
$csrf_token = $request->headers
->get('X-CSRF-Token');
if (!$this->csrfToken
->validate($csrf_token, self::TOKEN_KEY) && !$this->csrfToken
->validate($csrf_token, 'rest')) {
return AccessResult::forbidden()
->setReason('X-CSRF-Token request header is invalid')
->setCacheMaxAge(0);
}
}
return AccessResult::allowed()
->setCacheMaxAge(0);
}
}
Classes