Code Coverage for /Users/ericduran/Sites/drupal/drupal/core/modules/rest/src/Access/CSRFAccessCheck.php

	Code Coverage
	Classes and Traits			Functions and Methods				Lines
Total	0.00% covered (danger)	0.00%	0 / 1	0.00% covered (danger)	0.00%	0 / 3	CRAP	0.00% covered (danger)	0.00%	0 / 26
CSRFAccessCheck	0.00% covered (danger)	0.00%	0 / 1	0.00% covered (danger)	0.00%	0 / 3	110	0.00% covered (danger)	0.00%	0 / 26
__construct				0.00% covered (danger)	0.00%	0 / 1	2	0.00% covered (danger)	0.00%	0 / 2
applies				0.00% covered (danger)	0.00%	0 / 1	20	0.00% covered (danger)	0.00%	0 / 12
access				0.00% covered (danger)	0.00%	0 / 1	30	0.00% covered (danger)	0.00%	0 / 12

1	<?php
2
3	/**
4	* @file
5	* Contains \Drupal\rest\Access\CSRFAccessCheck.
6	*/
7
8	namespace Drupal\rest\Access;
9
10	use Drupal\Core\Access\AccessCheckInterface;
11	use Drupal\Core\Access\AccessResult;
12	use Drupal\Core\Session\AccountInterface;
13	use Drupal\Core\Session\SessionConfigurationInterface;
14	use Symfony\Component\Routing\Route;
15	use Symfony\Component\HttpFoundation\Request;
16
17	/**
18	* Access protection against CSRF attacks.
19	*/
20	class CSRFAccessCheck implements AccessCheckInterface {
21
22	/**
23	* The session configuration.
24	*
25	* @var \Drupal\Core\Session\SessionConfigurationInterface
26	*/
27	protected $sessionConfiguration;
28
29	/**
30	* Constructs a new rest CSRF access check.
31	*
32	* @param \Drupal\Core\Session\SessionConfigurationInterface $session_configuration
33	* The session configuration.
34	*/
35	public function __construct(SessionConfigurationInterface $session_configuration) {
36	$this->sessionConfiguration = $session_configuration;
37	}
38
39	/**
40	* {@inheritdoc}
41	*/
42	public function applies(Route $route) {
43	$requirements = $route->getRequirements();
44
45	if (array_key_exists('_access_rest_csrf', $requirements)) {
46	if (isset($requirements['_method'])) {
47	// There could be more than one method requirement separated with '\|'.
48	$methods = explode('\|', $requirements['_method']);
49	// CSRF protection only applies to write operations, so we can filter
50	// out any routes that require reading methods only.
51	$write_methods = array_diff($methods, array('GET', 'HEAD', 'OPTIONS', 'TRACE'));
52	if (empty($write_methods)) {
53	return FALSE;
54	}
55	}
56	// No method requirement given, so we run this access check to be on the
57	// safe side.
58	return TRUE;
59	}
60	}
61
62	/**
63	* Checks access.
64	*
65	* @param \Symfony\Component\HttpFoundation\Request $request
66	* The request object.
67	* @param \Drupal\Core\Session\AccountInterface $account
68	* The currently logged in account.
69	*
70	* @return \Drupal\Core\Access\AccessResultInterface
71	* The access result.
72	*/
73	public function access(Request $request, AccountInterface $account) {
74	$method = $request->getMethod();
75
76	// This check only applies if
77	// 1. this is a write operation
78	// 2. the user was successfully authenticated and
79	// 3. the request comes with a session cookie.
80	if (!in_array($method, array('GET', 'HEAD', 'OPTIONS', 'TRACE'))
81	&& $account->isAuthenticated()
82	&& $this->sessionConfiguration->hasSession($request)
83	) {
84	$csrf_token = $request->headers->get('X-CSRF-Token');
85	if (!\Drupal::csrfToken()->validate($csrf_token, 'rest')) {
86	return AccessResult::forbidden()->setCacheMaxAge(0);
87	}
88	}
89	// Let other access checkers decide if the request is legit.
90	return AccessResult::allowed()->setCacheMaxAge(0);
91	}
92
93	}