class RouteProcessorCsrf
Same name in other branches
- 9 core/lib/Drupal/Core/Access/RouteProcessorCsrf.php \Drupal\Core\Access\RouteProcessorCsrf
- 8.9.x core/lib/Drupal/Core/Access/RouteProcessorCsrf.php \Drupal\Core\Access\RouteProcessorCsrf
- 11.x core/lib/Drupal/Core/Access/RouteProcessorCsrf.php \Drupal\Core\Access\RouteProcessorCsrf
Processes the outbound route to handle the CSRF token.
Hierarchy
- class \Drupal\Core\Access\RouteProcessorCsrf implements \Drupal\Core\RouteProcessor\OutboundRouteProcessorInterface, \Drupal\Core\Security\TrustedCallbackInterface
Expanded class hierarchy of RouteProcessorCsrf
1 file declares its use of RouteProcessorCsrf
- RouteProcessorCsrfTest.php in core/
tests/ Drupal/ Tests/ Core/ Access/ RouteProcessorCsrfTest.php
1 string reference to 'RouteProcessorCsrf'
- core.services.yml in core/
core.services.yml - core/core.services.yml
1 service uses RouteProcessorCsrf
File
-
core/
lib/ Drupal/ Core/ Access/ RouteProcessorCsrf.php, line 14
Namespace
Drupal\Core\AccessView source
class RouteProcessorCsrf implements OutboundRouteProcessorInterface, TrustedCallbackInterface {
/**
* The CSRF token generator.
*
* @var \Drupal\Core\Access\CsrfTokenGenerator
*/
protected $csrfToken;
/**
* Constructs a RouteProcessorCsrf object.
*
* @param \Drupal\Core\Access\CsrfTokenGenerator $csrf_token
* The CSRF token generator.
*/
public function __construct(CsrfTokenGenerator $csrf_token) {
$this->csrfToken = $csrf_token;
}
/**
* {@inheritdoc}
*/
public function processOutbound($route_name, Route $route, array &$parameters, ?BubbleableMetadata $bubbleable_metadata = NULL) {
if ($route->hasRequirement('_csrf_token')) {
$path = ltrim($route->getPath(), '/');
// Replace the path parameters with values from the parameters array.
foreach ($parameters as $param => $value) {
$path = str_replace("{{$param}}", $value, $path);
}
// Adding this to the parameters means it will get merged into the query
// string when the route is compiled.
if (!$bubbleable_metadata) {
$parameters['token'] = $this->csrfToken
->get($path);
}
else {
// Generate a placeholder and a render array to replace it.
$placeholder = Crypt::hashBase64($path);
$placeholder_render_array = [
'#lazy_builder' => [
'route_processor_csrf:renderPlaceholderCsrfToken',
[
$path,
],
],
];
// Instead of setting an actual CSRF token as the query string, we set
// the placeholder, which will be replaced at the very last moment. This
// ensures links with CSRF tokens don't break cacheability.
$parameters['token'] = $placeholder;
$bubbleable_metadata->addAttachments([
'placeholders' => [
$placeholder => $placeholder_render_array,
],
]);
}
}
}
/**
* #lazy_builder callback; gets a CSRF token for the given path.
*
* @param string $path
* The path to get a CSRF token for.
*
* @return array
* A renderable array representing the CSRF token.
*/
public function renderPlaceholderCsrfToken($path) {
return [
'#markup' => $this->csrfToken
->get($path),
// Tokens are per session.
'#cache' => [
'contexts' => [
'session',
],
],
];
}
/**
* {@inheritdoc}
*/
public static function trustedCallbacks() {
return [
'renderPlaceholderCsrfToken',
];
}
}
Members
Title Sort descending | Deprecated | Modifiers | Object type | Summary | Overriden Title |
---|---|---|---|---|---|
RouteProcessorCsrf::$csrfToken | protected | property | The CSRF token generator. | ||
RouteProcessorCsrf::processOutbound | public | function | |||
RouteProcessorCsrf::renderPlaceholderCsrfToken | public | function | #lazy_builder callback; gets a CSRF token for the given path. | ||
RouteProcessorCsrf::trustedCallbacks | public static | function | Lists the trusted callbacks provided by the implementing class. | Overrides TrustedCallbackInterface::trustedCallbacks | |
RouteProcessorCsrf::__construct | public | function | Constructs a RouteProcessorCsrf object. | ||
TrustedCallbackInterface::THROW_EXCEPTION | constant | Untrusted callbacks throw exceptions. | |||
TrustedCallbackInterface::TRIGGER_SILENCED_DEPRECATION | constant | Untrusted callbacks trigger silenced E_USER_DEPRECATION errors. | |||
TrustedCallbackInterface::TRIGGER_WARNING | Deprecated | constant | Untrusted callbacks trigger E_USER_WARNING errors. |
Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.