Mercurial > hg > isophonics-drupal-site

annotate core/lib/Drupal/Core/Access/CsrfAccessCheck.php @ 19:fa3358dc1485 tip

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Add ndrum files
author Chris Cannam
date Wed, 28 Aug 2019 13:14:47 +0100
parents 4c8ae668cc8c
children
rev   line source
Chris@0 1 <?php
Chris@0 2
Chris@0 3 namespace Drupal\Core\Access;
Chris@0 4
Chris@0 5 use Drupal\Core\Routing\Access\AccessInterface as RoutingAccessInterface;
Chris@0 6 use Drupal\Core\Routing\RouteMatchInterface;
Chris@0 7 use Symfony\Component\Routing\Route;
Chris@0 8 use Symfony\Component\HttpFoundation\Request;
Chris@0 9
Chris@0 10 /**
Chris@0 11 * Allows access to routes to be controlled by a '_csrf_token' parameter.
Chris@0 12 *
Chris@0 13 * To use this check, add a "token" GET parameter to URLs of which the value is
Chris@0 14 * a token generated by \Drupal::csrfToken()->get() using the same value as the
Chris@0 15 * "_csrf_token" parameter in the route.
Chris@0 16 */
Chris@0 17 class CsrfAccessCheck implements RoutingAccessInterface {
Chris@0 18
Chris@0 19 /**
Chris@0 20 * The CSRF token generator.
Chris@0 21 *
Chris@0 22 * @var \Drupal\Core\Access\CsrfTokenGenerator
Chris@0 23 */
Chris@0 24 protected $csrfToken;
Chris@0 25
Chris@0 26 /**
Chris@0 27 * Constructs a CsrfAccessCheck object.
Chris@0 28 *
Chris@0 29 * @param \Drupal\Core\Access\CsrfTokenGenerator $csrf_token
Chris@0 30 * The CSRF token generator.
Chris@0 31 */
Chris@0 32 public function __construct(CsrfTokenGenerator $csrf_token) {
Chris@0 33 $this->csrfToken = $csrf_token;
Chris@0 34 }
Chris@0 35
Chris@0 36 /**
Chris@0 37 * Checks access based on a CSRF token for the request.
Chris@0 38 *
Chris@0 39 * @param \Symfony\Component\Routing\Route $route
Chris@0 40 * The route to check against.
Chris@0 41 * @param \Symfony\Component\HttpFoundation\Request $request
Chris@0 42 * The request object.
Chris@0 43 * @param \Drupal\Core\Routing\RouteMatchInterface $route_match
Chris@0 44 * The route match object.
Chris@0 45 *
Chris@0 46 * @return \Drupal\Core\Access\AccessResultInterface
Chris@0 47 * The access result.
Chris@0 48 */
Chris@0 49 public function access(Route $route, Request $request, RouteMatchInterface $route_match) {
Chris@0 50 $parameters = $route_match->getRawParameters();
Chris@0 51 $path = ltrim($route->getPath(), '/');
Chris@0 52 // Replace the path parameters with values from the parameters array.
Chris@0 53 foreach ($parameters as $param => $value) {
Chris@0 54 $path = str_replace("{{$param}}", $value, $path);
Chris@0 55 }
Chris@0 56
Chris@0 57 if ($this->csrfToken->validate($request->query->get('token', ''), $path)) {
Chris@0 58 $result = AccessResult::allowed();
Chris@0 59 }
Chris@0 60 else {
Chris@0 61 $result = AccessResult::forbidden($request->query->has('token') ? "'csrf_token' URL query argument is invalid." : "'csrf_token' URL query argument is missing.");
Chris@0 62 }
Chris@0 63 // Not cacheable because the CSRF token is highly dynamic.
Chris@0 64 return $result->setCacheMaxAge(0);
Chris@0 65 }
Chris@0 66
Chris@0 67 }