class RouteProcessorCsrf

Same name and namespace in other branches
  1. 9 core/lib/Drupal/Core/Access/RouteProcessorCsrf.php \Drupal\Core\Access\RouteProcessorCsrf
  2. 8.9.x core/lib/Drupal/Core/Access/RouteProcessorCsrf.php \Drupal\Core\Access\RouteProcessorCsrf
  3. 10 core/lib/Drupal/Core/Access/RouteProcessorCsrf.php \Drupal\Core\Access\RouteProcessorCsrf

Processes the outbound route to handle the CSRF token.

Hierarchy

Expanded class hierarchy of RouteProcessorCsrf

2 files declare their use of RouteProcessorCsrf
RoutePathGenerationTraitTest.php in core/tests/Drupal/Tests/Core/Access/RoutePathGenerationTraitTest.php
RouteProcessorCsrfTest.php in core/tests/Drupal/Tests/Core/Access/RouteProcessorCsrfTest.php
1 string reference to 'RouteProcessorCsrf'
core.services.yml in core/core.services.yml
core/core.services.yml
1 service uses RouteProcessorCsrf
route_processor_csrf in core/core.services.yml
Drupal\Core\Access\RouteProcessorCsrf

File

core/lib/Drupal/Core/Access/RouteProcessorCsrf.php, line 15

Namespace

Drupal\Core\Access
View source
class RouteProcessorCsrf implements OutboundRouteProcessorInterface, TrustedCallbackInterface {
  use RoutePathGenerationTrait;
  
  /**
   * Constructs a RouteProcessorCsrf object.
   *
   * @param \Drupal\Core\Access\CsrfTokenGenerator $csrfToken
   *   The CSRF token generator.
   * @param \Symfony\Component\HttpFoundation\RequestStack|null $requestStack
   *   The request stack.
   */
  public function __construct(protected CsrfTokenGenerator $csrfToken, protected ?RequestStack $requestStack = NULL) {
    if ($requestStack === NULL) {
      @trigger_error('Calling ' . __CLASS__ . ' constructor without the $requestStack argument is deprecated in drupal:11.2.0 and it will be required in drupal:12.0.0. See https://www.drupal.org/project/drupal/issues/3485174', E_USER_DEPRECATED);
      $this->requestStack = \Drupal::service('request_stack');
    }
  }
  
  /**
   * {@inheritdoc}
   */
  public function processOutbound($route_name, Route $route, array &$parameters, ?BubbleableMetadata $bubbleable_metadata = NULL) {
    if ($route->hasRequirement('_csrf_token')) {
      $path = $this->generateRoutePath($route, $parameters);
      // Adding this to the parameters means it will get merged into the query
      // string when the route is compiled.
      if (!$bubbleable_metadata || $this->requestStack
        ->getCurrentRequest()
        ->getRequestFormat() !== 'html') {
        $parameters['token'] = $this->csrfToken
          ->get($path);
      }
      else {
        // Generate a placeholder and a render array to replace it.
        $placeholder = Crypt::hashBase64($path);
        $placeholder_render_array = [
          '#lazy_builder' => [
            'route_processor_csrf:renderPlaceholderCsrfToken',
            [
              $path,
            ],
          ],
        ];
        // Instead of setting an actual CSRF token as the query string, we set
        // the placeholder, which will be replaced at the very last moment. This
        // ensures links with CSRF tokens don't break cacheability.
        $parameters['token'] = $placeholder;
        $bubbleable_metadata->addAttachments([
          'placeholders' => [
            $placeholder => $placeholder_render_array,
          ],
        ]);
      }
    }
  }
  
  /**
   * Render API callback: Adds a CSRF token for the given path to the markup.
   *
   * This function is assigned as a #lazy_builder callback.
   *
   * @param string $path
   *   The path to get a CSRF token for.
   *
   * @return array
   *   A renderable array representing the CSRF token.
   */
  public function renderPlaceholderCsrfToken($path) {
    return [
      '#markup' => $this->csrfToken
        ->get($path),
      // Tokens are per session.
'#cache' => [
        'contexts' => [
          'session',
        ],
      ],
    ];
  }
  
  /**
   * {@inheritdoc}
   */
  public static function trustedCallbacks() {
    return [
      'renderPlaceholderCsrfToken',
    ];
  }

}

Members

Title Sort descending Modifiers Object type Summary Overriden Title
RoutePathGenerationTrait::generateRoutePath public function Generates a route path by replacing placeholders with their values.
RouteProcessorCsrf::processOutbound public function Processes the outbound route. Overrides OutboundRouteProcessorInterface::processOutbound
RouteProcessorCsrf::renderPlaceholderCsrfToken public function Render API callback: Adds a CSRF token for the given path to the markup.
RouteProcessorCsrf::trustedCallbacks public static function Lists the trusted callbacks provided by the implementing class. Overrides TrustedCallbackInterface::trustedCallbacks
RouteProcessorCsrf::__construct public function Constructs a RouteProcessorCsrf object.
TrustedCallbackInterface::THROW_EXCEPTION constant Untrusted callbacks throw exceptions.
TrustedCallbackInterface::TRIGGER_SILENCED_DEPRECATION constant Untrusted callbacks trigger silenced E_USER_DEPRECATION errors.

Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.