Yii Framework Forum: CHtml::linkButton and CSRF - Yii Framework Forum

Jump to content

Page 1 of 1
  • You cannot start a new topic
  • This topic is locked

CHtml::linkButton and CSRF Rate Topic: -----

#1 User is offline   Ismael 

  • Standard Member
  • PipPip
  • Yii
  • Group: Members
  • Posts: 163
  • Joined: 02-June 09
  • Location:Brazil

Posted 26 June 2009 - 12:35 PM

Hi all.

I have CSRF check enabled.

And I got this error:
Bad Request
The CSRF token could not be verified.


The solution was add this param to linkButton method:
'YII_CSRF_TOKEN' => Yii::app()->request->csrfToken

All work ok now.
But, shouldn't this be added automactly by Chtml::linkButton() ???

<?php echo CHtml::linkButton('Comprar', array('submit' => '',
                                              'params' => array('command'=>'comprar',
                                              'codigo'=>$produto->codigo,
                                              'YII_CSRF_TOKEN' => Yii::app()->request->csrfToken
                                        ),
                              'class'  => 'link-1',
                        ));
?>

1

#2 User is online   qiang 

  • Yii Project Lead
  • Yii
  • Group: Yii Dev Team
  • Posts: 5,855
  • Joined: 04-October 08
  • Location:DC, USA

Posted 26 June 2009 - 02:41 PM

Nice finding and solution.

Unfortunately, we could generate this automatically because a link button can target at different locations. And also in case when the button is enclosed by a form, a CSRF token is generated by the form.

For these reasons, I added a 'csrf' option to $htmlOptions. By setting this to true, it should achieve the same effect as you did.
1

#3 User is offline   Ismael 

  • Standard Member
  • PipPip
  • Yii
  • Group: Members
  • Posts: 163
  • Joined: 02-June 09
  • Location:Brazil

Posted 26 June 2009 - 04:06 PM

Your explanation make sense and add csrf in options was a good solution!

Thumb up!
0

#4 User is offline   iGrog 

  • Junior Member
  • Pip
  • Yii
  • Group: Members
  • Posts: 63
  • Joined: 09-October 09

Posted 08 January 2010 - 04:21 AM

What's about simple CHtml::ajaxLink method. It causes CSRF validation exception even if 'csfr' is set to 'true';
I think, we need to add some logic in public static function CHtml::ajax($options), to add CSRF data.
2

#5 User is offline   Alan 

  • Junior Member
  • Pip
  • Yii
  • Group: Members
  • Posts: 25
  • Joined: 14-December 10
  • Location:Tokyo, Japan

Posted 27 January 2011 - 05:26 AM

View PostiGrog, on 08 January 2010 - 04:21 AM, said:

What's about simple CHtml::ajaxLink method. It causes CSRF validation exception even if 'csfr' is set to 'true';
I think, we need to add some logic in public static function CHtml::ajax($options), to add CSRF data.


I am finding same issue with CHtml::ajaxSubmitButton

e.g.
 echo CHtml::ajaxSubmitButton('text', array('user/update', array('UserName'=>$data->UserName)), $ajaxOptions, array('csrf'=>true));

0

#6 User is offline   ircha_78 

  • Newbie
  • Yii
  • Group: Members
  • Posts: 1
  • Joined: 30-September 10

Posted 05 November 2011 - 06:15 PM

View PostiGrog, on 08 January 2010 - 04:21 AM, said:

What's about simple CHtml::ajaxLink method. It causes CSRF validation exception even if 'csfr' is set to 'true';
I think, we need to add some logic in public static function CHtml::ajax($options), to add CSRF data.

CHtml::ajaxLink('delete', 'delete/'.$data->id, array('type'=>'POST', 'data'=>array('YII_CSRF_TOKEN' => Yii::app()->request->csrfToken)));

0

Share this topic:


Page 1 of 1
  • You cannot start a new topic
  • This topic is locked

2 User(s) are reading this topic
1 members, 1 guests, 0 anonymous users

  1. Amadeus