Commit 51c29e44 by Qiang Xue

renamed Request::csrfTokenName to csrfVar.

added version, csrfVar and csrfToken to yii js module.
parent f5778b6b
...@@ -43,7 +43,13 @@ ...@@ -43,7 +43,13 @@
*/ */
yii = (function ($) { yii = (function ($) {
var pub = { var pub = {
// version of Yii framework
version: '2.0', version: '2.0',
// CSRF token name and value. If this is set and a form is created and submitted using JavaScript
// via POST, the CSRF token should be submitted too to pass CSRF validation.
csrfVar: undefined,
csrfToken: undefined,
initModule: function (module) { initModule: function (module) {
if (module.isActive === undefined || module.isActive) { if (module.isActive === undefined || module.isActive) {
if ($.isFunction(module.init)) { if ($.isFunction(module.init)) {
......
...@@ -238,7 +238,7 @@ class HtmlBase ...@@ -238,7 +238,7 @@ class HtmlBase
$method = 'post'; $method = 'post';
} }
if ($request->enableCsrfValidation) { if ($request->enableCsrfValidation) {
$hiddenInputs[] = static::hiddenInput($request->csrfTokenName, $request->getCsrfToken()); $hiddenInputs[] = static::hiddenInput($request->csrfVar, $request->getCsrfToken());
} }
} }
......
...@@ -73,16 +73,16 @@ class Request extends \yii\base\Request ...@@ -73,16 +73,16 @@ class Request extends \yii\base\Request
* from the same application. If not, a 400 HTTP exception will be raised. * from the same application. If not, a 400 HTTP exception will be raised.
* *
* Note, this feature requires that the user client accepts cookie. Also, to use this feature, * Note, this feature requires that the user client accepts cookie. Also, to use this feature,
* forms submitted via POST method must contain a hidden input whose name is specified by [[csrfTokenName]]. * forms submitted via POST method must contain a hidden input whose name is specified by [[csrfVar]].
* You may use [[\yii\web\Html::beginForm()]] to generate his hidden input. * You may use [[\yii\web\Html::beginForm()]] to generate his hidden input.
* @see http://en.wikipedia.org/wiki/Cross-site_request_forgery * @see http://en.wikipedia.org/wiki/Cross-site_request_forgery
*/ */
public $enableCsrfValidation = false; public $enableCsrfValidation = false;
/** /**
* @var string the name of the token used to prevent CSRF. Defaults to 'YII_CSRF_TOKEN'. * @var string the name of the token used to prevent CSRF. Defaults to '_csrf'.
* This property is effectively only when {@link enableCsrfValidation} is true. * This property is effectively only when [[enableCsrfValidation]] is true.
*/ */
public $csrfTokenName = '_csrf'; public $csrfVar = '_csrf';
/** /**
* @var array the configuration of the CSRF cookie. This property is used only when [[enableCsrfValidation]] is true. * @var array the configuration of the CSRF cookie. This property is used only when [[enableCsrfValidation]] is true.
* @see Cookie * @see Cookie
...@@ -975,7 +975,7 @@ class Request extends \yii\base\Request ...@@ -975,7 +975,7 @@ class Request extends \yii\base\Request
public function getCsrfToken() public function getCsrfToken()
{ {
if ($this->_csrfCookie === null) { if ($this->_csrfCookie === null) {
$this->_csrfCookie = $this->getCookies()->get($this->csrfTokenName); $this->_csrfCookie = $this->getCookies()->get($this->csrfVar);
if ($this->_csrfCookie === null) { if ($this->_csrfCookie === null) {
$this->_csrfCookie = $this->createCsrfCookie(); $this->_csrfCookie = $this->createCsrfCookie();
Yii::$app->getResponse()->getCookies()->add($this->_csrfCookie); Yii::$app->getResponse()->getCookies()->add($this->_csrfCookie);
...@@ -994,7 +994,7 @@ class Request extends \yii\base\Request ...@@ -994,7 +994,7 @@ class Request extends \yii\base\Request
protected function createCsrfCookie() protected function createCsrfCookie()
{ {
$options = $this->csrfCookie; $options = $this->csrfCookie;
$options['name'] = $this->csrfTokenName; $options['name'] = $this->csrfVar;
$options['value'] = sha1(uniqid(mt_rand(), true)); $options['value'] = sha1(uniqid(mt_rand(), true));
return new Cookie($options); return new Cookie($options);
} }
...@@ -1015,19 +1015,19 @@ class Request extends \yii\base\Request ...@@ -1015,19 +1015,19 @@ class Request extends \yii\base\Request
$cookies = $this->getCookies(); $cookies = $this->getCookies();
switch ($method) { switch ($method) {
case 'POST': case 'POST':
$token = $this->getPost($this->csrfTokenName); $token = $this->getPost($this->csrfVar);
break; break;
case 'PUT': case 'PUT':
$token = $this->getPut($this->csrfTokenName); $token = $this->getPut($this->csrfVar);
break; break;
case 'PATCH': case 'PATCH':
$token = $this->getPatch($this->csrfTokenName); $token = $this->getPatch($this->csrfVar);
break; break;
case 'DELETE': case 'DELETE':
$token = $this->getDelete($this->csrfTokenName); $token = $this->getDelete($this->csrfVar);
} }
if (empty($token) || $cookies->getValue($this->csrfTokenName) !== $token) { if (empty($token) || $cookies->getValue($this->csrfVar) !== $token) {
throw new HttpException(400, Yii::t('yii', 'Unable to verify your data submission.')); throw new HttpException(400, Yii::t('yii', 'Unable to verify your data submission.'));
} }
} }
......
...@@ -7,6 +7,8 @@ ...@@ -7,6 +7,8 @@
namespace yii\web; namespace yii\web;
use Yii;
/** /**
* @author Qiang Xue <qiang.xue@gmail.com> * @author Qiang Xue <qiang.xue@gmail.com>
* @since 2.0 * @since 2.0
...@@ -20,4 +22,19 @@ class YiiAsset extends AssetBundle ...@@ -20,4 +22,19 @@ class YiiAsset extends AssetBundle
public $depends = array( public $depends = array(
'yii\web\JqueryAsset', 'yii\web\JqueryAsset',
); );
/**
* @inheritdoc
*/
public function registerAssets($view)
{
parent::registerAssets($view);
$js[] = "yii.version = '" . Yii::getVersion() . "';";
$request = Yii::$app->getRequest();
if ($request instanceof Request && $request->enableCsrfValidation) {
$js[] = "yii.csrfVar = '{$request->csrfVar}';";
$js[] = "yii.csrfToken = '{$request->csrfToken}';";
}
$view->registerJs(implode("\n", $js));
}
} }
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment