class CsrfAccessCheck
Same name in other branches
- 9 core/lib/Drupal/Core/Access/CsrfAccessCheck.php \Drupal\Core\Access\CsrfAccessCheck
- 8.9.x core/lib/Drupal/Core/Access/CsrfAccessCheck.php \Drupal\Core\Access\CsrfAccessCheck
- 11.x core/lib/Drupal/Core/Access/CsrfAccessCheck.php \Drupal\Core\Access\CsrfAccessCheck
Access protection against CSRF attacks.
The CsrfAccessCheck is added to any route with the '_csrf_token' route requirement. If a link/url to a protected route is generated using the url_generator service, a valid token will be added automatically. Otherwise, a valid token can be generated by the csrf_token service using the route's path (without leading slash) as the argument when generating the token. This token can then be added as the 'token' query parameter when accessing the protected route.
Hierarchy
- class \Drupal\Core\Access\CsrfAccessCheck implements \Drupal\Core\Routing\Access\AccessInterface
Expanded class hierarchy of CsrfAccessCheck
See also
\Drupal\Core\Access\RouteProcessorCsrf
\Drupal\Core\Access\CsrfTokenGenerator
https://www.drupal.org/docs/8/api/routing-system/access-checking-on-rou…
1 file declares its use of CsrfAccessCheck
- CsrfAccessCheckTest.php in core/
tests/ Drupal/ Tests/ Core/ Access/ CsrfAccessCheckTest.php
1 string reference to 'CsrfAccessCheck'
- core.services.yml in core/
core.services.yml - core/core.services.yml
1 service uses CsrfAccessCheck
File
-
core/
lib/ Drupal/ Core/ Access/ CsrfAccessCheck.php, line 25
Namespace
Drupal\Core\AccessView source
class CsrfAccessCheck implements RoutingAccessInterface {
/**
* The CSRF token generator.
*
* @var \Drupal\Core\Access\CsrfTokenGenerator
*/
protected $csrfToken;
/**
* Constructs a CsrfAccessCheck object.
*
* @param \Drupal\Core\Access\CsrfTokenGenerator $csrf_token
* The CSRF token generator.
*/
public function __construct(CsrfTokenGenerator $csrf_token) {
$this->csrfToken = $csrf_token;
}
/**
* Checks access based on a CSRF token for the request.
*
* @param \Symfony\Component\Routing\Route $route
* The route to check against.
* @param \Symfony\Component\HttpFoundation\Request $request
* The request object.
* @param \Drupal\Core\Routing\RouteMatchInterface $route_match
* The route match object.
*
* @return \Drupal\Core\Access\AccessResultInterface
* The access result.
*/
public function access(Route $route, Request $request, RouteMatchInterface $route_match) {
$parameters = $route_match->getRawParameters();
$path = ltrim($route->getPath(), '/');
// Replace the path parameters with values from the parameters array.
foreach ($parameters as $param => $value) {
$path = str_replace("{{$param}}", $value, $path);
}
if ($this->csrfToken
->validate($request->query
->get('token', ''), $path)) {
$result = AccessResult::allowed();
}
else {
$result = AccessResult::forbidden($request->query
->has('token') ? "'csrf_token' URL query argument is invalid." : "'csrf_token' URL query argument is missing.");
}
// Not cacheable because the CSRF token is highly dynamic.
return $result->setCacheMaxAge(0);
}
}
Members
Title Sort descending | Modifiers | Object type | Summary |
---|---|---|---|
CsrfAccessCheck::$csrfToken | protected | property | The CSRF token generator. |
CsrfAccessCheck::access | public | function | Checks access based on a CSRF token for the request. |
CsrfAccessCheck::__construct | public | function | Constructs a CsrfAccessCheck object. |
Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.