MENU
Edit
In Place Editing Advanced Editing

CsrfRequestHeaderAccessCheck::applies

public CsrfRequestHeaderAccessCheck::applies(Route $route)

Declares whether the access check applies to a specific route or not.

Parameters

\Symfony\Component\Routing\Route $route: The route to consider attaching to.

Return value

array An array of route requirement keys this access checker applies to.

Overrides AccessCheckInterface::applies

File

core/lib/Drupal/Core/Access/CsrfRequestHeaderAccessCheck.php, line 50

Class

CsrfRequestHeaderAccessCheck
Access protection against CSRF attacks.

Namespace

Drupal\Core\Access

Code

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
public function applies(Route $route) {
  $requirements = $route->getRequirements();
  // Check for current requirement _csrf_request_header_token and deprecated
  // REST requirement.
  $applicable_requirements = [
    '_csrf_request_header_token',
    // @todo Remove _access_rest_csrf in Drupal 9.0.0.
    '_access_rest_csrf',
  ];
  $requirement_keys = array_keys($requirements);
 
  if (array_intersect($applicable_requirements, $requirement_keys)) {
    if (isset($requirements['_method'])) {
      // There could be more than one method requirement separated with '|'.
      $methods = explode('|', $requirements['_method']);
      // CSRF protection only applies to write operations, so we can filter
      // out any routes that require reading methods only.
      $write_methods = array_diff($methods, array('GET', 'HEAD', 'OPTIONS', 'TRACE'));
      if (empty($write_methods)) {
        return FALSE;
      }
    }
    // No method requirement given, so we run this access check to be on the
    // safe side.
    return TRUE;
  }
}
doc_Drupal
doc_Drupal
2025-01-10 15:47:30
Comments
Leave a Comment

Please login to continue.