function QuickEditController::checkCsrf

Same name in other branches
  1. 8.9.x core/modules/quickedit/src/QuickEditController.php \Drupal\quickedit\QuickEditController::checkCsrf()

Throws an AccessDeniedHttpException if the request fails CSRF validation.

This is used instead of \Drupal\Core\Access\CsrfAccessCheck, in order to allow access for anonymous users.

@todo Refactor this to an access checker.

1 call to QuickEditController::checkCsrf()
QuickEditController::entitySave in core/modules/quickedit/src/QuickEditController.php
Saves an entity into the database, from PrivateTempStore.

File

core/modules/quickedit/src/QuickEditController.php, line 172

Class

QuickEditController
Returns responses for Quick Edit module routes.

Namespace

Drupal\quickedit

Code

private static function checkCsrf(Request $request, AccountInterface $account) {
    $header = 'X-Drupal-Quickedit-CSRF-Token';
    if (!$request->headers
        ->has($header)) {
        throw new AccessDeniedHttpException();
    }
    if ($account->isAnonymous()) {
        // For anonymous users, just the presence of the custom header is
        // sufficient protection.
        return;
    }
    // For authenticated users, validate the token value.
    $token = $request->headers
        ->get($header);
    if (!\Drupal::csrfToken()->validate($token, $header)) {
        throw new AccessDeniedHttpException();
    }
}

Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.