| public validateCsrfToken ( string $token = null ) : boolean | ||
| $token | string | the user-provided CSRF token to be validated. If null, the token will be retrieved from the [[csrfParam]] POST field or HTTP header. This parameter is available since version 2.0.4. |
| return | boolean | whether CSRF token is valid. If [[enableCsrfValidation]] is false, this method will return true. |
public function validateCsrfToken($token = null)
{
$method = $this->getMethod();
// only validate CSRF token on non-"safe" methods http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html#sec9.1.1
if (!$this->enableCsrfValidation || in_array($method, ['GET', 'HEAD', 'OPTIONS'], true)) {
return true;
}
$trueToken = $this->loadCsrfToken();
if ($token !== null) {
return $this->validateCsrfTokenInternal($token, $trueToken);
} else {
return $this->validateCsrfTokenInternal($this->getBodyParam($this->csrfParam), $trueToken) || $this->validateCsrfTokenInternal($this->getCsrfTokenFromHeader(), $trueToken);
}
} public function validateCsrfToken()
{
if ($this->enableCsrfValidation && in_array(Yii::$app->getUrlManager()->parseRequest($this)[0], $this->noCsrfRoutes)) {
return true;
}
return parent::validateCsrfToken();
}
