diff --git a/framework/yii/web/Controller.php b/framework/yii/web/Controller.php index 9238063..773e2de 100644 --- a/framework/yii/web/Controller.php +++ b/framework/yii/web/Controller.php @@ -73,7 +73,10 @@ class Controller extends \yii\base\Controller public function beforeAction($action) { if (parent::beforeAction($action)) { - return !$this->enableCsrfValidation || Yii::$app->getRequest()->validateCsrfToken(); + if ($this->enableCsrfValidation && !Yii::$app->getRequest()->validateCsrfToken()) { + throw new HttpException(400, Yii::t('yii', 'Unable to verify your data submission.')); + } + return true; } else { return false; } diff --git a/framework/yii/web/Request.php b/framework/yii/web/Request.php index 1186e05..6b805ea 100644 --- a/framework/yii/web/Request.php +++ b/framework/yii/web/Request.php @@ -1023,12 +1023,12 @@ class Request extends \yii\base\Request * The method will compare the CSRF token obtained from a cookie and from a POST field. * If they are different, a CSRF attack is detected and a 400 HTTP exception will be raised. * This method is called in [[Controller::beforeAction()]]. - * @throws HttpException if the validation fails + * @return boolean whether CSRF token is valid. If [[enableCsrfValidation]] is false, this method will return true. */ public function validateCsrfToken() { if (!$this->enableCsrfValidation) { - return; + return true; } $method = $this->getMethod(); if ($method === 'POST' || $method === 'PUT' || $method === 'PATCH' || $method === 'DELETE') { @@ -1047,10 +1047,9 @@ class Request extends \yii\base\Request $token = $this->getDelete($this->csrfVar); } - $valid = !empty($token) && $token === $trueToken || $this->getCsrfTokenFromHeader() === $trueToken; - if (!$valid) { - throw new HttpException(400, Yii::t('yii', 'Unable to verify your data submission.')); - } + return !empty($token) && $token === $trueToken || $this->getCsrfTokenFromHeader() === $trueToken; + } else { + return true; } } }