function CsrfRequestHeaderAccessCheck::access
Same name and namespace in other branches
- 11.x core/lib/Drupal/Core/Access/CsrfRequestHeaderAccessCheck.php \Drupal\Core\Access\CsrfRequestHeaderAccessCheck::access()
- 10 core/lib/Drupal/Core/Access/CsrfRequestHeaderAccessCheck.php \Drupal\Core\Access\CsrfRequestHeaderAccessCheck::access()
- 9 core/lib/Drupal/Core/Access/CsrfRequestHeaderAccessCheck.php \Drupal\Core\Access\CsrfRequestHeaderAccessCheck::access()
- 8.9.x core/lib/Drupal/Core/Access/CsrfRequestHeaderAccessCheck.php \Drupal\Core\Access\CsrfRequestHeaderAccessCheck::access()
Checks access.
Parameters
\Symfony\Component\HttpFoundation\Request $request: The request object.
\Drupal\Core\Session\AccountInterface $account: The currently logged in account.
Return value
\Drupal\Core\Access\AccessResultInterface The access result.
File
-
core/
lib/ Drupal/ Core/ Access/ CsrfRequestHeaderAccessCheck.php, line 80
Class
- CsrfRequestHeaderAccessCheck
- Access protection against CSRF attacks.
Namespace
Drupal\Core\AccessCode
public function access(Request $request, AccountInterface $account) {
$method = $request->getMethod();
// Read-only operations are always allowed.
if (in_array($method, [
'GET',
'HEAD',
'OPTIONS',
'TRACE',
], TRUE)) {
return AccessResult::allowed();
}
// This check only applies if
// 1. the user was successfully authenticated and
// 2. the request comes with a session cookie.
if ($account->isAuthenticated() && $this->sessionConfiguration
->hasSession($request)) {
if (!$request->headers
->has('X-CSRF-Token')) {
return AccessResult::forbidden()->setReason('X-CSRF-Token request header is missing')
->setCacheMaxAge(0);
}
$csrf_token = $request->headers
->get('X-CSRF-Token');
if (!$this->csrfToken
->validate($csrf_token, self::TOKEN_KEY)) {
if ($this->csrfToken
->validate($csrf_token, 'rest')) {
@trigger_error("Validating CSRF tokens with the 'rest' key is deprecated in drupal:11.4.0 and is removed from drupal:12.0.0. Sessions created before the upgrade to Drupal 9 are no longer supported. See https://www.drupal.org/node/3591939", E_USER_DEPRECATED);
}
else {
return AccessResult::forbidden()->setReason('X-CSRF-Token request header is invalid')
->setCacheMaxAge(0);
}
}
}
// Let other access checkers decide if the request is legit.
return AccessResult::allowed()->setCacheMaxAge(0);
}
Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.