public function RouteProcessorCsrf::processOutbound

public RouteProcessorCsrf::processOutbound($route_name, Route $route, array &$parameters, BubbleableMetadata $bubbleable_metadata = NULL)

Processes the outbound route.

Parameters

string $route_name: The route name.

\Symfony\Component\Routing\Route $route: The outbound route to process.

array $parameters: An array of parameters to be passed to the route compiler. Passed by reference.

\Drupal\Core\Render\BubbleableMetadata $bubbleable_metadata: (optional) Object to collect route processors' bubbleable metadata.

Return value

The processed path.

Overrides OutboundRouteProcessorInterface::processOutbound

File

core/lib/Drupal/Core/Access/RouteProcessorCsrf.php, line 34

Class

RouteProcessorCsrf
Processes the outbound route to handle the CSRF token.

Namespace

Drupal\Core\Access

Code

public function processOutbound($route_name, Route $route, array &$parameters, BubbleableMetadata $bubbleable_metadata = NULL) {
  if ($route->hasRequirement('_csrf_token')) {
    $path = ltrim($route->getPath(), '/');
    // Replace the path parameters with values from the parameters array.
    foreach ($parameters as $param => $value) {
      $path = str_replace("{{$param}}", $value, $path);
    }
    // Adding this to the parameters means it will get merged into the query
    // string when the route is compiled.
    if (!$bubbleable_metadata) {
      $parameters['token'] = $this->csrfToken->get($path);
    }
    else {
      // Generate a placeholder and a render array to replace it.
      $placeholder = hash('sha1', $path);
      $placeholder_render_array = [
        '#lazy_builder' => ['route_processor_csrf:renderPlaceholderCsrfToken', [$path]],
      ];

      // Instead of setting an actual CSRF token as the query string, we set
      // the placeholder, which will be replaced at the very last moment. This
      // ensures links with CSRF tokens don't break cacheability.
      $parameters['token'] = $placeholder;
      $bubbleable_metadata->addAttachments(['placeholders' => [$placeholder => $placeholder_render_array]]);
    }
  }
}

© 2001–2016 by the original authors
Licensed under the GNU General Public License, version 2 and later.
Drupal is a registered trademark of Dries Buytaert.
https://api.drupal.org/api/drupal/core!lib!Drupal!Core!Access!RouteProcessorCsrf.php/function/RouteProcessorCsrf::processOutbound/8.1.x