function QuickEditController::checkCsrf
Same name and namespace in other branches
- 8.9.x core/modules/quickedit/src/QuickEditController.php \Drupal\quickedit\QuickEditController::checkCsrf()
Throws an AccessDeniedHttpException if the request fails CSRF validation.
This is used instead of \Drupal\Core\Access\CsrfAccessCheck, in order to allow access for anonymous users.
@todo Refactor this to an access checker.
1 call to QuickEditController::checkCsrf()
- QuickEditController::entitySave in core/
modules/ quickedit/ src/ QuickEditController.php - Saves an entity into the database, from PrivateTempStore.
File
-
core/
modules/ quickedit/ src/ QuickEditController.php, line 172
Class
- QuickEditController
- Returns responses for Quick Edit module routes.
Namespace
Drupal\quickeditCode
private static function checkCsrf(Request $request, AccountInterface $account) {
$header = 'X-Drupal-Quickedit-CSRF-Token';
if (!$request->headers
->has($header)) {
throw new AccessDeniedHttpException();
}
if ($account->isAnonymous()) {
// For anonymous users, just the presence of the custom header is
// sufficient protection.
return;
}
// For authenticated users, validate the token value.
$token = $request->headers
->get($header);
if (!\Drupal::csrfToken()->validate($token, $header)) {
throw new AccessDeniedHttpException();
}
}Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.