public function CSRFAccessCheck::applies

Implements AccessCheckInterface::applies().

Overrides AccessCheckInterface::applies

File

drupal/core/modules/rest/lib/Drupal/rest/Access/CSRFAccessCheck.php, line 22
Contains Drupal\rest\Access\CSRFAccessCheck.

Class

CSRFAccessCheck
Access protection against CSRF attacks.

Namespace

Drupal\rest\Access

Code

public function applies(Route $route) {
  $requirements = $route
    ->getRequirements();
  if (array_key_exists('_access_rest_csrf', $requirements)) {
    if (isset($requirements['_method'])) {

      // There could be more than one method requirement separated with '|'.
      $methods = explode('|', $requirements['_method']);

      // CSRF protection only applies to write operations, so we can filter
      // out any routes that require reading methods only.
      $write_methods = array_diff($methods, array(
        'GET',
        'HEAD',
        'OPTIONS',
        'TRACE',
      ));
      if (empty($write_methods)) {
        return FALSE;
      }
    }

    // No method requirement given, so we run this access check to be on the
    // safe side.
    return TRUE;
  }
  return FALSE;
}