class ValidateCsrfByGet extends CHttpRequest
public function validateCsrfToken($event)
// only validate POST requests
if($cookies->contains($this->csrfTokenName) && isset($_POST[$this->csrfTokenName]))
throw new CHttpException(400,Yii::t('yii','The CSRF token could not be verified.'));
I was expecting to be able to make changes to this function and those to affect the CSRF check in any forms on the site. Even when I only have the throw exception line, no forms are affected.
In case anyone was looking for a clean solution to this problem, I forked file-uploader and added the ability to add POST key/value pairs. When creating your file uploader, set encoding to ‘multipart’, and pass in your CSRF token into multipartParams. It will arrive as a $_POST parameter and your CSRF protection will work as expected.