renamed Request::csrfTokenName to csrfVar.

added version, csrfVar and csrfToken to yii js module.

renamed Request::csrfTokenName to csrfVar.
51c29e44 · Qiang Xue · f5778b6b · 51c29e44 · 51c29e44 · 51c29e44
Commit 51c29e44 authored Sep 15, 2013 by Qiang Xue
Showing with 35 additions and 12 deletions

yii.js framework/yii/assets/yii.js +6 -0

HtmlBase.php framework/yii/helpers/HtmlBase.php +1 -1

Request.php framework/yii/web/Request.php +11 -11

YiiAsset.php framework/yii/web/YiiAsset.php +17 -0

No files found.
--- a/framework/yii/assets/yii.js
+++ b/framework/yii/assets/yii.js
@@ -43,7 +43,13 @@
 */
 yii = (function ($) {
 	var pub = {
+		// version of Yii framework
 		version: '2.0',
+		// CSRF token name and value. If this is set and a form is created and submitted using JavaScript
+		// via POST, the CSRF token should be submitted too to pass CSRF validation.
+		csrfVar: undefined,
+		csrfToken: undefined,
+
 		initModule: function (module) {
 			if (module.isActive === undefined || module.isActive) {
 				if ($.isFunction(module.init)) {

--- a/framework/yii/helpers/HtmlBase.php
+++ b/framework/yii/helpers/HtmlBase.php
@@ -238,7 +238,7 @@ class HtmlBase
 				$method = 'post';
 			}
 			if ($request->enableCsrfValidation) {
-				$hiddenInputs[] = static::hiddenInput($request->csrfTokenName, $request->getCsrfToken());
+				$hiddenInputs[] = static::hiddenInput($request->csrfVar, $request->getCsrfToken());
 			}
 		}


--- a/framework/yii/web/Request.php
+++ b/framework/yii/web/Request.php
@@ -73,16 +73,16 @@ class Request extends \yii\base\Request
 	 * from the same application. If not, a 400 HTTP exception will be raised.
 	 *
 	 * Note, this feature requires that the user client accepts cookie. Also, to use this feature,
-	 * forms submitted via POST method must contain a hidden input whose name is specified by [[csrfTokenName]].
+	 * forms submitted via POST method must contain a hidden input whose name is specified by [[csrfVar]].
 	 * You may use [[\yii\web\Html::beginForm()]] to generate his hidden input.
 	 * @see http://en.wikipedia.org/wiki/Cross-site_request_forgery
 	 */
 	public $enableCsrfValidation = false;
 	/**
-	 * @var string the name of the token used to prevent CSRF. Defaults to 'YII_CSRF_TOKEN'.
-	 * This property is effectively only when {@link enableCsrfValidation} is true.
+	 * @var string the name of the token used to prevent CSRF. Defaults to '_csrf'.
+	 * This property is effectively only when [[enableCsrfValidation]] is true.
 	 */
-	public $csrfTokenName = '_csrf';
+	public $csrfVar = '_csrf';
 	/**
 	 * @var array the configuration of the CSRF cookie. This property is used only when [[enableCsrfValidation]] is true.
 	 * @see Cookie
@@ -975,7 +975,7 @@ class Request extends \yii\base\Request
 	public function getCsrfToken()
 	{
 		if ($this->_csrfCookie === null) {
-			$this->_csrfCookie = $this->getCookies()->get($this->csrfTokenName);
+			$this->_csrfCookie = $this->getCookies()->get($this->csrfVar);
 			if ($this->_csrfCookie === null) {
 				$this->_csrfCookie = $this->createCsrfCookie();
 				Yii::$app->getResponse()->getCookies()->add($this->_csrfCookie);
@@ -994,7 +994,7 @@ class Request extends \yii\base\Request
 	protected function createCsrfCookie()
 	{
 		$options = $this->csrfCookie;
-		$options['name'] = $this->csrfTokenName;
+		$options['name'] = $this->csrfVar;
 		$options['value'] = sha1(uniqid(mt_rand(), true));
 		return new Cookie($options);
 	}
@@ -1015,19 +1015,19 @@ class Request extends \yii\base\Request
 			$cookies = $this->getCookies();
 			switch ($method) {
 				case 'POST':
-					$token = $this->getPost($this->csrfTokenName);
+					$token = $this->getPost($this->csrfVar);
 					break;
 				case 'PUT':
-					$token = $this->getPut($this->csrfTokenName);
+					$token = $this->getPut($this->csrfVar);
 					break;
 				case 'PATCH':
-					$token = $this->getPatch($this->csrfTokenName);
+					$token = $this->getPatch($this->csrfVar);
 					break;
 				case 'DELETE':
-					$token = $this->getDelete($this->csrfTokenName);
+					$token = $this->getDelete($this->csrfVar);
 			}

-			if (empty($token) || $cookies->getValue($this->csrfTokenName) !== $token) {
+			if (empty($token) || $cookies->getValue($this->csrfVar) !== $token) {
 				throw new HttpException(400, Yii::t('yii', 'Unable to verify your data submission.'));
 			}
 		}

--- a/framework/yii/web/YiiAsset.php
+++ b/framework/yii/web/YiiAsset.php
@@ -7,6 +7,8 @@

 namespace yii\web;

+use Yii;
+
 /**
 * @author Qiang Xue <qiang.xue@gmail.com>
 * @since 2.0
@@ -20,4 +22,19 @@ class YiiAsset extends AssetBundle
 	public $depends = array(
 		'yii\web\JqueryAsset',
 	);
+
+	/**
+	 * @inheritdoc
+	 */
+	public function registerAssets($view)
+	{
+		parent::registerAssets($view);
+		$js[] = "yii.version = '" . Yii::getVersion() . "';";
+		$request = Yii::$app->getRequest();
+		if ($request instanceof Request && $request->enableCsrfValidation) {
+			$js[] = "yii.csrfVar = '{$request->csrfVar}';";
+			$js[] = "yii.csrfToken = '{$request->csrfToken}';";
+		}
+		$view->registerJs(implode("\n", $js));
+	}
 }