Implement #10078: Allow disabling csrf hidden input generation on a form

framework/CHANGELOG.md

@@ -63,6 +63,7 @@ Yii Framework 2 Change Log
 - Chg #9411: `DetailView` now automatically sets container tag ID in case it's not specified (samdark)
 - Chg #9953: `TimestampBehavior::getValue()` changed to make value processing consistent with `AttributeBehavior::getValue()` (silverfire)
 - New #10083: Added wrapper for PHP webserver (samdark)
+- Enh #10078: Added `csrf` option to `Html::beginForm()` to allow disabling the hidden csrf field generation. (machour)
 - Enh #10098: Changed `yii.confirm` context bind to triggered dom element. (lichunqiang)
 
 2.0.6 August 05, 2015

framework/helpers/BaseHtml.php

@@ -300,6 +300,7 @@ class BaseHtml
      * the attributes of the resulting tag. The values will be HTML-encoded using [[encode()]].
      * If a value is null, the corresponding attribute will not be rendered.
      * See [[renderTagAttributes()]] for details on how attributes are being rendered.
+     * The "csrf" special option can be set to FALSE to prevent the form from generating the CSRF hidden field.
      * @return string the generated form start tag.
      * @see endForm()
      */
@@ -316,7 +317,9 @@ class BaseHtml
                 $hiddenInputs[] = static::hiddenInput($request->methodParam, $method);
                 $method = 'post';
             }
-            if ($request->enableCsrfValidation && !strcasecmp($method, 'post')) {
+            $csrf = ArrayHelper::remove($options, 'csrf', true);
+
+            if ($csrf && $request->enableCsrfValidation && !strcasecmp($method, 'post')) {
                 $hiddenInputs[] = static::hiddenInput($request->csrfParam, $request->getCsrfToken());
             }
         }