By damiankloip on
Change record status:
Published (View all published change records)
Project:
Introduced in branch:
8.x
Issue links:
Description:
CSRF tokens are now integrated into the routing/access system; so like other route requirements, a type of '_csrf_token' can be added. This will alter the outbound route to add the token automatically and also validate this token.
In D7:
// When creating link...
l(t('update things'), 'my-thing/update', array('query' => array('token' => drupal_get_token('my_things')))),
// In callback...
my_page_callback() {
if (!isset($_GET['token']) || !drupal_valid_token($_GET['token'], 'my_things')) {
return MENU_ACCESS_DENIED;
}
// Regular callback code here..
}
In D8:
In route definition:
my_module.mything:
path: '/my-thing/update'
defaults:
_controller: 'Drupal\my_thing\Controller\MyThingController::callback'
requirements:
_csrf_token: 'TRUE'
The code in route callbacks no longer need to worry about checking for the token. This is done at the access level. Also, note that there is no need to specify a token value to match like before. The current path will automatically be used to create the token.
Impacts:
Module developers
