I have a Gii generated CRUD source code and views. I need to enable CSRF protection. It is enabled and works ok in all other parts of the project, but brings the following error while I’m trying to delete a record from standard ‘admin’ screen: Error 400 The CSRF token could not be verified.
Here is the code I use:
$this->menu=array(
array('label'=>'List', 'url'=>array('index')),
array('label'=>'Create', 'url'=>array('create')),
array('label'=>'Update', 'url'=>array('update', 'id'=>$model->id)),
array('label'=>'Delete', 'url'=>'#', 'linkOptions'=>array('submit'=>array('delete','id'=>$model->id, 'YII_CSRF_TOKEN' => Yii::app()->request->csrfToken),'confirm'=>'Are you sure you want to delete this item?')),
array('label'=>'Manage', 'url'=>array('admin')),
);
Please, note that CSRF token is added into parameters of “Delete” menu item. According to browser console, CSRF token is actually added and passed to the server. It is the same as when I click ‘x’ button in admin grid, which deletes records perfectly. The only difference I see in these two cases is that ‘x’ button appends ‘ajax’ parameter into URL.
What is a proper way to pass CSRF token from a menu like this?
Thanks in advance.