Added Controller::enableCsrfValidation to support turning on/off CSRF validation…

framework/yii/base/Controller.php

@@ -210,6 +210,7 @@ class Controller extends Component
 	/**
 	 * This method is invoked right before an action is to be executed (after all possible filters.)
 	 * You may override this method to do last-minute preparation for the action.
+	 * If you override this method, please make sure you call the parent implementation first.
 	 * @param Action $action the action to be executed.
 	 * @return boolean whether the action should continue to be executed.
 	 */
@@ -223,6 +224,7 @@ class Controller extends Component
 	/**
 	 * This method is invoked right after an action is executed.
 	 * You may override this method to do some postprocessing for the action.
+	 * If you override this method, please make sure you call the parent implementation first.
 	 * @param Action $action the action just executed.
 	 * @param mixed $result the action return result.
 	 */

framework/yii/web/Controller.php

@@ -20,6 +20,12 @@ use yii\helpers\Html;
 class Controller extends \yii\base\Controller
 {
 	/**
+	 * @var boolean whether to enable CSRF validation for the actions in this controller.
+	 * CSRF validation is enabled only when both this property and [[Request::enableCsrfValidation]] are true.
+	 */
+	public $enableCsrfValidation = true;
+
+	/**
 	 * Binds the parameters to the action.
 	 * This method is invoked by [[Action]] when it begins to run with the given parameters.
 	 * This method will check the parameter names that the action requires and return
@@ -62,6 +68,18 @@ class Controller extends \yii\base\Controller
 	}
 
 	/**
+	 * @inheritdoc
+	 */
+	public function beforeAction($action)
+	{
+		if (parent::beforeAction($action)) {
+			return !$this->enableCsrfValidation || Yii::$app->getRequest()->validateCsrfToken();
+		} else {
+			return false;
+		}
+	}
+
+	/**
 	 * Creates a URL using the given route and parameters.
 	 *
 	 * This method enhances [[UrlManager::createUrl()]] by supporting relative routes.

framework/yii/web/Request.php

@@ -87,6 +87,7 @@ class Request extends \yii\base\Request
 	 * In JavaScript, you may get the values of [[csrfVar]] and [[csrfToken]] via `yii.getCsrfVar()` and
 	 * `yii.getCsrfToken()`, respectively. The [[\yii\web\YiiAsset]] asset must be registered.
 	 *
+	 * @see Controller::enableCsrfValidation
 	 * @see http://en.wikipedia.org/wiki/Cross-site_request_forgery
 	 */
 	public $enableCsrfValidation = false;
@@ -122,8 +123,6 @@ class Request extends \yii\base\Request
 	 */
 	public function resolve()
 	{
-		$this->validateCsrfToken();
-
 		$result = Yii::$app->getUrlManager()->parseRequest($this);
 		if ($result !== false) {
 			list ($route, $params) = $result;
@@ -1023,6 +1022,7 @@ class Request extends \yii\base\Request
 	 * Performs the CSRF validation.
 	 * The method will compare the CSRF token obtained from a cookie and from a POST field.
 	 * If they are different, a CSRF attack is detected and a 400 HTTP exception will be raised.
+	 * This method is called in [[Controller::beforeAction()]].
 	 * @throws HttpException if the validation fails
 	 */
 	public function validateCsrfToken()