function CsrfRequestHeaderAccessCheck::applies

Same name in other branches
  1. 9 core/lib/Drupal/Core/Access/CsrfRequestHeaderAccessCheck.php \Drupal\Core\Access\CsrfRequestHeaderAccessCheck::applies()
  2. 8.9.x core/lib/Drupal/Core/Access/CsrfRequestHeaderAccessCheck.php \Drupal\Core\Access\CsrfRequestHeaderAccessCheck::applies()
  3. 11.x core/lib/Drupal/Core/Access/CsrfRequestHeaderAccessCheck.php \Drupal\Core\Access\CsrfRequestHeaderAccessCheck::applies()

Overrides AccessCheckInterface::applies

File

core/lib/Drupal/Core/Access/CsrfRequestHeaderAccessCheck.php, line 50

Class

CsrfRequestHeaderAccessCheck
Access protection against CSRF attacks.

Namespace

Drupal\Core\Access

Code

public function applies(Route $route) {
    $requirements = $route->getRequirements();
    if (array_key_exists('_csrf_request_header_token', $requirements)) {
        if (isset($requirements['_method'])) {
            // There could be more than one method requirement separated with '|'.
            $methods = explode('|', $requirements['_method']);
            // CSRF protection only applies to write operations, so we can filter
            // out any routes that require reading methods only.
            $write_methods = array_diff($methods, [
                'GET',
                'HEAD',
                'OPTIONS',
                'TRACE',
            ]);
            if (empty($write_methods)) {
                return FALSE;
            }
        }
        // No method requirement given, so we run this access check to be on the
        // safe side.
        return TRUE;
    }
}

Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.