From f9b957554f2b7f2b08747d4ecd3da0effd7bc51b Mon Sep 17 00:00:00 2001 From: Qiang Xue Date: Wed, 18 Sep 2013 23:24:11 -0400 Subject: [PATCH] Added Controller::enableCsrfValidation to support turning on/off CSRF validation for particular actions. --- framework/yii/base/Controller.php | 2 ++ framework/yii/web/Controller.php | 18 ++++++++++++++++++ framework/yii/web/Request.php | 4 ++-- 3 files changed, 22 insertions(+), 2 deletions(-) diff --git a/framework/yii/base/Controller.php b/framework/yii/base/Controller.php index 20f6e2b..3eebaa0 100644 --- a/framework/yii/base/Controller.php +++ b/framework/yii/base/Controller.php @@ -210,6 +210,7 @@ class Controller extends Component /** * This method is invoked right before an action is to be executed (after all possible filters.) * You may override this method to do last-minute preparation for the action. + * If you override this method, please make sure you call the parent implementation first. * @param Action $action the action to be executed. * @return boolean whether the action should continue to be executed. */ @@ -223,6 +224,7 @@ class Controller extends Component /** * This method is invoked right after an action is executed. * You may override this method to do some postprocessing for the action. + * If you override this method, please make sure you call the parent implementation first. * @param Action $action the action just executed. * @param mixed $result the action return result. */ diff --git a/framework/yii/web/Controller.php b/framework/yii/web/Controller.php index adb1b4d..9238063 100644 --- a/framework/yii/web/Controller.php +++ b/framework/yii/web/Controller.php @@ -20,6 +20,12 @@ use yii\helpers\Html; class Controller extends \yii\base\Controller { /** + * @var boolean whether to enable CSRF validation for the actions in this controller. + * CSRF validation is enabled only when both this property and [[Request::enableCsrfValidation]] are true. + */ + public $enableCsrfValidation = true; + + /** * Binds the parameters to the action. * This method is invoked by [[Action]] when it begins to run with the given parameters. * This method will check the parameter names that the action requires and return @@ -62,6 +68,18 @@ class Controller extends \yii\base\Controller } /** + * @inheritdoc + */ + public function beforeAction($action) + { + if (parent::beforeAction($action)) { + return !$this->enableCsrfValidation || Yii::$app->getRequest()->validateCsrfToken(); + } else { + return false; + } + } + + /** * Creates a URL using the given route and parameters. * * This method enhances [[UrlManager::createUrl()]] by supporting relative routes. diff --git a/framework/yii/web/Request.php b/framework/yii/web/Request.php index 9e625f7..1186e05 100644 --- a/framework/yii/web/Request.php +++ b/framework/yii/web/Request.php @@ -87,6 +87,7 @@ class Request extends \yii\base\Request * In JavaScript, you may get the values of [[csrfVar]] and [[csrfToken]] via `yii.getCsrfVar()` and * `yii.getCsrfToken()`, respectively. The [[\yii\web\YiiAsset]] asset must be registered. * + * @see Controller::enableCsrfValidation * @see http://en.wikipedia.org/wiki/Cross-site_request_forgery */ public $enableCsrfValidation = false; @@ -122,8 +123,6 @@ class Request extends \yii\base\Request */ public function resolve() { - $this->validateCsrfToken(); - $result = Yii::$app->getUrlManager()->parseRequest($this); if ($result !== false) { list ($route, $params) = $result; @@ -1023,6 +1022,7 @@ class Request extends \yii\base\Request * Performs the CSRF validation. * The method will compare the CSRF token obtained from a cookie and from a POST field. * If they are different, a CSRF attack is detected and a 400 HTTP exception will be raised. + * This method is called in [[Controller::beforeAction()]]. * @throws HttpException if the validation fails */ public function validateCsrfToken()