function CsrfRequestHeaderAccessCheck::access

Same name and namespace in other branches
  1. 11.x core/lib/Drupal/Core/Access/CsrfRequestHeaderAccessCheck.php \Drupal\Core\Access\CsrfRequestHeaderAccessCheck::access()
  2. 10 core/lib/Drupal/Core/Access/CsrfRequestHeaderAccessCheck.php \Drupal\Core\Access\CsrfRequestHeaderAccessCheck::access()
  3. 9 core/lib/Drupal/Core/Access/CsrfRequestHeaderAccessCheck.php \Drupal\Core\Access\CsrfRequestHeaderAccessCheck::access()
  4. 8.9.x core/lib/Drupal/Core/Access/CsrfRequestHeaderAccessCheck.php \Drupal\Core\Access\CsrfRequestHeaderAccessCheck::access()

Checks access.

Parameters

\Symfony\Component\HttpFoundation\Request $request: The request object.

\Drupal\Core\Session\AccountInterface $account: The currently logged in account.

Return value

\Drupal\Core\Access\AccessResultInterface The access result.

File

core/lib/Drupal/Core/Access/CsrfRequestHeaderAccessCheck.php, line 80

Class

CsrfRequestHeaderAccessCheck
Access protection against CSRF attacks.

Namespace

Drupal\Core\Access

Code

public function access(Request $request, AccountInterface $account) {
  $method = $request->getMethod();
  // Read-only operations are always allowed.
  if (in_array($method, [
    'GET',
    'HEAD',
    'OPTIONS',
    'TRACE',
  ], TRUE)) {
    return AccessResult::allowed();
  }
  // This check only applies if
  // 1. the user was successfully authenticated and
  // 2. the request comes with a session cookie.
  if ($account->isAuthenticated() && $this->sessionConfiguration
    ->hasSession($request)) {
    if (!$request->headers
      ->has('X-CSRF-Token')) {
      return AccessResult::forbidden()->setReason('X-CSRF-Token request header is missing')
        ->setCacheMaxAge(0);
    }
    $csrf_token = $request->headers
      ->get('X-CSRF-Token');
    if (!$this->csrfToken
      ->validate($csrf_token, self::TOKEN_KEY)) {
      if ($this->csrfToken
        ->validate($csrf_token, 'rest')) {
        @trigger_error("Validating CSRF tokens with the 'rest' key is deprecated in drupal:11.4.0 and is removed from drupal:12.0.0. Sessions created before the upgrade to Drupal 9 are no longer supported. See https://www.drupal.org/node/3591939", E_USER_DEPRECATED);
      }
      else {
        return AccessResult::forbidden()->setReason('X-CSRF-Token request header is invalid')
          ->setCacheMaxAge(0);
      }
    }
  }
  // Let other access checkers decide if the request is legit.
  return AccessResult::allowed()->setCacheMaxAge(0);
}

Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.