vendor/pimcore/pimcore/bundles/AdminBundle/EventListener/CsrfProtectionListener.php line 64

Open in your IDE?
  1. <?php
  3. /**
  4.  * Pimcore
  5.  *
  6.  * This source file is available under two different licenses:
  7.  * - GNU General Public License version 3 (GPLv3)
  8.  * - Pimcore Commercial License (PCL)
  9.  * Full copyright and license information is available in
  10.  * LICENSE.md which is distributed with this source code.
  11.  *
  12.  *  @copyright  Copyright (c) Pimcore GmbH (http://www.pimcore.org)
  13.  *  @license    http://www.pimcore.org/license     GPLv3 and PCL
  14.  */
  16. namespace Pimcore\Bundle\AdminBundle\EventListener;
  18. use Pimcore\Bundle\AdminBundle\Security\CsrfProtectionHandler;
  19. use Pimcore\Bundle\CoreBundle\EventListener\Traits\PimcoreContextAwareTrait;
  20. use Pimcore\Http\Request\Resolver\PimcoreContextResolver;
  21. use Symfony\Component\EventDispatcher\EventSubscriberInterface;
  22. use Symfony\Component\HttpKernel\Event\RequestEvent;
  23. use Symfony\Component\HttpKernel\KernelEvents;
  24. use Twig\Environment;
  26. /**
  27.  * @internal
  28.  */
  29. class CsrfProtectionListener implements EventSubscriberInterface
  30. {
  31.     use PimcoreContextAwareTrait;
  33.     /**
  34.      * @var Environment
  35.      */
  36.     protected $twig;
  38.     /**
  39.      * @var CsrfProtectionHandler $handler
  40.      */
  41.     protected $csrfProtectionHandler;
  43.     /**
  44.      * @param CsrfProtectionHandler $csrfProtectionHandler
  45.      */
  46.     public function __construct(CsrfProtectionHandler $csrfProtectionHandler)
  47.     {
  48.         $this->csrfProtectionHandler $csrfProtectionHandler;
  49.     }
  51.     /**
  52.      * {@inheritdoc}
  53.      */
  54.     public static function getSubscribedEvents()
  55.     {
  56.         return [
  57.             KernelEvents::REQUEST => ['handleRequest'11],
  58.         ];
  59.     }
  61.     /**
  62.      * @param RequestEvent $event
  63.      */
  64.     public function handleRequest(RequestEvent $event)
  65.     {
  66.         $request $event->getRequest();
  67.         if (!$this->matchesPimcoreContext($requestPimcoreContextResolver::CONTEXT_ADMIN)) {
  68.             return;
  69.         }
  71.         $this->csrfProtectionHandler->generateCsrfToken();
  73.         if ($request->isMethodCacheable()) {
  74.             return;
  75.         }
  77.         $exludedRoutes = [
  78.             // WebDAV
  79.             'pimcore_admin_webdav',
  81.             // external applications
  82.             'pimcore_admin_external_opcache_index',
  83.             'pimcore_admin_external_adminer_adminer''pimcore_admin_external_adminer_proxy',
  84.             'pimcore_admin_external_adminer_proxy_1''pimcore_admin_external_adminer_proxy_2',
  85.         ];
  87.         $route $request->attributes->get('_route');
  88.         if (in_array($route$exludedRoutes) || in_array($route$this->csrfProtectionHandler->getExcludedRoutes())) {
  89.             return;
  90.         }
  92.         $this->csrfProtectionHandler->checkCsrfToken($request);
  93.     }
  94. }