diff --git a/framework/yii/web/Controller.php b/framework/yii/web/Controller.php
index 9238063..773e2de 100644
--- a/framework/yii/web/Controller.php
+++ b/framework/yii/web/Controller.php
@@ -73,7 +73,10 @@ class Controller extends \yii\base\Controller
public function beforeAction($action)
{
if (parent::beforeAction($action)) {
- return !$this->enableCsrfValidation || Yii::$app->getRequest()->validateCsrfToken();
+ if ($this->enableCsrfValidation && !Yii::$app->getRequest()->validateCsrfToken()) {
+ throw new HttpException(400, Yii::t('yii', 'Unable to verify your data submission.'));
+ }
+ return true;
} else {
return false;
}
diff --git a/framework/yii/web/Request.php b/framework/yii/web/Request.php
index 1186e05..6b805ea 100644
--- a/framework/yii/web/Request.php
+++ b/framework/yii/web/Request.php
@@ -1023,12 +1023,12 @@ class Request extends \yii\base\Request
* The method will compare the CSRF token obtained from a cookie and from a POST field.
* If they are different, a CSRF attack is detected and a 400 HTTP exception will be raised.
* This method is called in [[Controller::beforeAction()]].
- * @throws HttpException if the validation fails
+ * @return boolean whether CSRF token is valid. If [[enableCsrfValidation]] is false, this method will return true.
*/
public function validateCsrfToken()
{
if (!$this->enableCsrfValidation) {
- return;
+ return true;
}
$method = $this->getMethod();
if ($method === 'POST' || $method === 'PUT' || $method === 'PATCH' || $method === 'DELETE') {
@@ -1047,10 +1047,9 @@ class Request extends \yii\base\Request
$token = $this->getDelete($this->csrfVar);
}
- $valid = !empty($token) && $token === $trueToken || $this->getCsrfTokenFromHeader() === $trueToken;
- if (!$valid) {
- throw new HttpException(400, Yii::t('yii', 'Unable to verify your data submission.'));
- }
+ return !empty($token) && $token === $trueToken || $this->getCsrfTokenFromHeader() === $trueToken;
+ } else {
+ return true;
}
}
}