Fixes #10675: Added docs for disabling CSRF validation in standalone …

…actions
yiisoft · Apr 10, 2017 · 9445e55 · 9445e55
1 parent e62ea01
commit 9445e55
Showing 1 changed file with 26 additions and 1 deletion.
diff --git a/docs/guide/security-best-practices.md b/docs/guide/security-best-practices.md
@@ -209,11 +209,36 @@ class SiteController extends Controller
 }
 ```
 
+Disabling CSRF validation in [standalone actions](structure-controllers.md#standalone-actions) must be done in `init()`
+method. Do not place this code into `beforeRun()` method because it won't have effect.
+
+```php
+<?php
+
+namespace app\components;
+
+use yii\base\Action;
+
+class ContactAction extends Action
+{
+    public function run()
+    {
+          $model = new ContactForm();
+          $request = Yii::$app->request;
+          if ($request->referrer === 'yiipowered.com'
+              && $model->load($request->post())
+              && $model->validate()
+          ) {
+              $model->sendEmail();
+          }
+    }
+}
+```
+
 Further reading on the topic:
 
 - <https://www.owasp.org/index.php/CSRF>
 
-
 Avoiding file exposure
 ----------------------