Documentation & API reference
public function CSRFAccessCheck::access
Implements AccessCheckInterface::access().
Overrides AccessCheckInterface::access
File
- drupal/
core/ modules/ rest/ lib/ Drupal/ rest/ Access/ CSRFAccessCheck.php, line 45 - Contains Drupal\rest\Access\CSRFAccessCheck.
Class
- CSRFAccessCheck
- Access protection against CSRF attacks.
Namespace
Drupal\rest\AccessCode
public function access(Route $route, Request $request) {
$method = $request
->getMethod();
$cookie = $request->cookies
->get(session_name(), FALSE);
// This check only applies if
// 1. this is a write operation
// 2. the user was successfully authenticated and
// 3. the request comes with a session cookie.
if (!in_array($method, array(
'GET',
'HEAD',
'OPTIONS',
'TRACE',
)) && user_is_logged_in() && $cookie) {
$csrf_token = $request->headers
->get('X-CSRF-Token');
if (!drupal_valid_token($csrf_token, 'rest')) {
return FALSE;
}
}
// As we do not perform any authorization here we always return NULL to
// indicate that other access checkers should decide if the request is
// legit.
return NULL;
}