Browse Source

Added Controller::enableCsrfValidation to support turning on/off CSRF validation for particular actions.

tags/2.0.0-beta
Qiang Xue 11 years ago
parent
commit
f9b957554f
  1. 2
      framework/yii/base/Controller.php
  2. 18
      framework/yii/web/Controller.php
  3. 4
      framework/yii/web/Request.php

2
framework/yii/base/Controller.php

@ -210,6 +210,7 @@ class Controller extends Component
/** /**
* This method is invoked right before an action is to be executed (after all possible filters.) * This method is invoked right before an action is to be executed (after all possible filters.)
* You may override this method to do last-minute preparation for the action. * You may override this method to do last-minute preparation for the action.
* If you override this method, please make sure you call the parent implementation first.
* @param Action $action the action to be executed. * @param Action $action the action to be executed.
* @return boolean whether the action should continue to be executed. * @return boolean whether the action should continue to be executed.
*/ */
@ -223,6 +224,7 @@ class Controller extends Component
/** /**
* This method is invoked right after an action is executed. * This method is invoked right after an action is executed.
* You may override this method to do some postprocessing for the action. * You may override this method to do some postprocessing for the action.
* If you override this method, please make sure you call the parent implementation first.
* @param Action $action the action just executed. * @param Action $action the action just executed.
* @param mixed $result the action return result. * @param mixed $result the action return result.
*/ */

18
framework/yii/web/Controller.php

@ -20,6 +20,12 @@ use yii\helpers\Html;
class Controller extends \yii\base\Controller class Controller extends \yii\base\Controller
{ {
/** /**
* @var boolean whether to enable CSRF validation for the actions in this controller.
* CSRF validation is enabled only when both this property and [[Request::enableCsrfValidation]] are true.
*/
public $enableCsrfValidation = true;
/**
* Binds the parameters to the action. * Binds the parameters to the action.
* This method is invoked by [[Action]] when it begins to run with the given parameters. * This method is invoked by [[Action]] when it begins to run with the given parameters.
* This method will check the parameter names that the action requires and return * This method will check the parameter names that the action requires and return
@ -62,6 +68,18 @@ class Controller extends \yii\base\Controller
} }
/** /**
* @inheritdoc
*/
public function beforeAction($action)
{
if (parent::beforeAction($action)) {
return !$this->enableCsrfValidation || Yii::$app->getRequest()->validateCsrfToken();
} else {
return false;
}
}
/**
* Creates a URL using the given route and parameters. * Creates a URL using the given route and parameters.
* *
* This method enhances [[UrlManager::createUrl()]] by supporting relative routes. * This method enhances [[UrlManager::createUrl()]] by supporting relative routes.

4
framework/yii/web/Request.php

@ -87,6 +87,7 @@ class Request extends \yii\base\Request
* In JavaScript, you may get the values of [[csrfVar]] and [[csrfToken]] via `yii.getCsrfVar()` and * In JavaScript, you may get the values of [[csrfVar]] and [[csrfToken]] via `yii.getCsrfVar()` and
* `yii.getCsrfToken()`, respectively. The [[\yii\web\YiiAsset]] asset must be registered. * `yii.getCsrfToken()`, respectively. The [[\yii\web\YiiAsset]] asset must be registered.
* *
* @see Controller::enableCsrfValidation
* @see http://en.wikipedia.org/wiki/Cross-site_request_forgery * @see http://en.wikipedia.org/wiki/Cross-site_request_forgery
*/ */
public $enableCsrfValidation = false; public $enableCsrfValidation = false;
@ -122,8 +123,6 @@ class Request extends \yii\base\Request
*/ */
public function resolve() public function resolve()
{ {
$this->validateCsrfToken();
$result = Yii::$app->getUrlManager()->parseRequest($this); $result = Yii::$app->getUrlManager()->parseRequest($this);
if ($result !== false) { if ($result !== false) {
list ($route, $params) = $result; list ($route, $params) = $result;
@ -1023,6 +1022,7 @@ class Request extends \yii\base\Request
* Performs the CSRF validation. * Performs the CSRF validation.
* The method will compare the CSRF token obtained from a cookie and from a POST field. * The method will compare the CSRF token obtained from a cookie and from a POST field.
* If they are different, a CSRF attack is detected and a 400 HTTP exception will be raised. * If they are different, a CSRF attack is detected and a 400 HTTP exception will be raised.
* This method is called in [[Controller::beforeAction()]].
* @throws HttpException if the validation fails * @throws HttpException if the validation fails
*/ */
public function validateCsrfToken() public function validateCsrfToken()

Loading…
Cancel
Save