mirror of
https://github.com/yiisoft/yii2.git
synced 2025-11-21 00:54:53 +08:00
renamed Request::csrfTokenName to csrfVar.
added version, csrfVar and csrfToken to yii js module.
This commit is contained in:
Qiang Xue
@@ -43,7 +43,13 @@
|
||||
*/
|
||||
yii = (function ($) {
|
||||
var pub = {
|
||||
// version of Yii framework
|
||||
version: '2.0',
|
||||
// CSRF token name and value. If this is set and a form is created and submitted using JavaScript
|
||||
// via POST, the CSRF token should be submitted too to pass CSRF validation.
|
||||
csrfVar: undefined,
|
||||
csrfToken: undefined,
|
||||
|
||||
initModule: function (module) {
|
||||
if (module.isActive === undefined || module.isActive) {
|
||||
if ($.isFunction(module.init)) {
|
||||
|
||||
@@ -238,7 +238,7 @@ class HtmlBase
|
||||
$method = 'post';
|
||||
}
|
||||
if ($request->enableCsrfValidation) {
|
||||
$hiddenInputs[] = static::hiddenInput($request->csrfTokenName, $request->getCsrfToken());
|
||||
$hiddenInputs[] = static::hiddenInput($request->csrfVar, $request->getCsrfToken());
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@@ -73,16 +73,16 @@ class Request extends \yii\base\Request
|
||||
* from the same application. If not, a 400 HTTP exception will be raised.
|
||||
*
|
||||
* Note, this feature requires that the user client accepts cookie. Also, to use this feature,
|
||||
* forms submitted via POST method must contain a hidden input whose name is specified by [[csrfTokenName]].
|
||||
* forms submitted via POST method must contain a hidden input whose name is specified by [[csrfVar]].
|
||||
* You may use [[\yii\web\Html::beginForm()]] to generate his hidden input.
|
||||
* @see http://en.wikipedia.org/wiki/Cross-site_request_forgery
|
||||
*/
|
||||
public $enableCsrfValidation = false;
|
||||
/**
|
||||
* @var string the name of the token used to prevent CSRF. Defaults to 'YII_CSRF_TOKEN'.
|
||||
* This property is effectively only when {@link enableCsrfValidation} is true.
|
||||
* @var string the name of the token used to prevent CSRF. Defaults to '_csrf'.
|
||||
* This property is effectively only when [[enableCsrfValidation]] is true.
|
||||
*/
|
||||
public $csrfTokenName = '_csrf';
|
||||
public $csrfVar = '_csrf';
|
||||
/**
|
||||
* @var array the configuration of the CSRF cookie. This property is used only when [[enableCsrfValidation]] is true.
|
||||
* @see Cookie
|
||||
@@ -975,7 +975,7 @@ class Request extends \yii\base\Request
|
||||
public function getCsrfToken()
|
||||
{
|
||||
if ($this->_csrfCookie === null) {
|
||||
$this->_csrfCookie = $this->getCookies()->get($this->csrfTokenName);
|
||||
$this->_csrfCookie = $this->getCookies()->get($this->csrfVar);
|
||||
if ($this->_csrfCookie === null) {
|
||||
$this->_csrfCookie = $this->createCsrfCookie();
|
||||
Yii::$app->getResponse()->getCookies()->add($this->_csrfCookie);
|
||||
@@ -994,7 +994,7 @@ class Request extends \yii\base\Request
|
||||
protected function createCsrfCookie()
|
||||
{
|
||||
$options = $this->csrfCookie;
|
||||
$options['name'] = $this->csrfTokenName;
|
||||
$options['name'] = $this->csrfVar;
|
||||
$options['value'] = sha1(uniqid(mt_rand(), true));
|
||||
return new Cookie($options);
|
||||
}
|
||||
@@ -1015,19 +1015,19 @@ class Request extends \yii\base\Request
|
||||
$cookies = $this->getCookies();
|
||||
switch ($method) {
|
||||
case 'POST':
|
||||
$token = $this->getPost($this->csrfTokenName);
|
||||
$token = $this->getPost($this->csrfVar);
|
||||
break;
|
||||
case 'PUT':
|
||||
$token = $this->getPut($this->csrfTokenName);
|
||||
$token = $this->getPut($this->csrfVar);
|
||||
break;
|
||||
case 'PATCH':
|
||||
$token = $this->getPatch($this->csrfTokenName);
|
||||
$token = $this->getPatch($this->csrfVar);
|
||||
break;
|
||||
case 'DELETE':
|
||||
$token = $this->getDelete($this->csrfTokenName);
|
||||
$token = $this->getDelete($this->csrfVar);
|
||||
}
|
||||
|
||||
if (empty($token) || $cookies->getValue($this->csrfTokenName) !== $token) {
|
||||
if (empty($token) || $cookies->getValue($this->csrfVar) !== $token) {
|
||||
throw new HttpException(400, Yii::t('yii', 'Unable to verify your data submission.'));
|
||||
}
|
||||
}
|
||||
|
||||
@@ -7,6 +7,8 @@
|
||||
|
||||
namespace yii\web;
|
||||
|
||||
use Yii;
|
||||
|
||||
/**
|
||||
* @author Qiang Xue <qiang.xue@gmail.com>
|
||||
* @since 2.0
|
||||
@@ -20,4 +22,19 @@ class YiiAsset extends AssetBundle
|
||||
public $depends = array(
|
||||
'yii\web\JqueryAsset',
|
||||
);
|
||||
|
||||
/**
|
||||
* @inheritdoc
|
||||
*/
|
||||
public function registerAssets($view)
|
||||
{
|
||||
parent::registerAssets($view);
|
||||
$js[] = "yii.version = '" . Yii::getVersion() . "';";
|
||||
$request = Yii::$app->getRequest();
|
||||
if ($request instanceof Request && $request->enableCsrfValidation) {
|
||||
$js[] = "yii.csrfVar = '{$request->csrfVar}';";
|
||||
$js[] = "yii.csrfToken = '{$request->csrfToken}';";
|
||||
}
|
||||
$view->registerJs(implode("\n", $js));
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user