Skip to content
Snippets Groups Projects

Validate toolbar subtrees hash in AJAX responses

Open Carlos Romero requested to merge issue/drupal-3130197:3130197-10.4.x into 10.4.x
2 files
+ 7
5
Compare changes
  • Side-by-side
  • Inline
Files
2
@@ -37,10 +37,13 @@ public function __construct(
@@ -37,10 +37,13 @@ public function __construct(
*
*
* @return \Drupal\Core\Ajax\AjaxResponse
* @return \Drupal\Core\Ajax\AjaxResponse
*/
*/
public function subtreesAjax() {
public function subtreesAjax($hash) {
[$subtrees] = toolbar_get_rendered_subtrees();
[$subtrees] = toolbar_get_rendered_subtrees();
 
$expected_hash = _toolbar_get_subtrees_hash()[0];
$response = new AjaxResponse();
$response = new AjaxResponse();
$response->addCommand(new SetSubtreesCommand($subtrees));
if (hash_equals($expected_hash, $hash)) {
 
$response->addCommand(new SetSubtreesCommand($subtrees));
 
}
// The Expires HTTP header is the heart of the client-side HTTP caching. The
// The Expires HTTP header is the heart of the client-side HTTP caching. The
// additional server-side page cache only takes effect when the client
// additional server-side page cache only takes effect when the client
@@ -67,8 +70,7 @@ public function subtreesAjax() {
@@ -67,8 +70,7 @@ public function subtreesAjax() {
* The access result.
* The access result.
*/
*/
public function checkSubTreeAccess($hash) {
public function checkSubTreeAccess($hash) {
$expected_hash = _toolbar_get_subtrees_hash()[0];
return AccessResult::allowedIf($this->currentUser()->hasPermission('access toolbar'))->cachePerPermissions();
return AccessResult::allowedIf($this->currentUser()->hasPermission('access toolbar') && hash_equals($expected_hash, $hash))->cachePerPermissions();
}
}
/**
/**
Loading