function CsrfRequestHeaderAccessCheck::applies

Overrides AccessCheckInterface::applies

File

core/lib/Drupal/Core/Access/CsrfRequestHeaderAccessCheck.php, line 50

Class

CsrfRequestHeaderAccessCheck

Access protection against CSRF attacks.

Namespace

Code

public function applies(Route $route) {
    $requirements = $route->getRequirements();
    // Check for current requirement _csrf_request_header_token and deprecated
    // REST requirement.
    $applicable_requirements = [
        '_csrf_request_header_token',
        // @todo Remove _access_rest_csrf in Drupal 10.0.0 https://www.drupal.org/node/3115308
'_access_rest_csrf',
    ];
    if ($route->hasRequirement('_access_rest_csrf')) {
        @trigger_error('Route requirement _access_rest_csrf is deprecated in drupal:8.2.0 and is removed in drupal:10.0.0. Use _csrf_request_header_token instead. See https://www.drupal.org/node/2772399', E_USER_DEPRECATED);
    }
    $requirement_keys = array_keys($requirements);
    if (array_intersect($applicable_requirements, $requirement_keys)) {
        if (isset($requirements['_method'])) {
            // There could be more than one method requirement separated with '|'.
            $methods = explode('|', $requirements['_method']);
            // CSRF protection only applies to write operations, so we can filter
            // out any routes that require reading methods only.
            $write_methods = array_diff($methods, [
                'GET',
                'HEAD',
                'OPTIONS',
                'TRACE',
            ]);
            if (empty($write_methods)) {
                return FALSE;
            }
        }
        // No method requirement given, so we run this access check to be on the
        // safe side.
        return TRUE;
    }
}