I’ve found that anytime I have a 3rd party application that performs an action via my yii2 app where POST data is sent that I need to grab, I have to disable enableCsrfValidation.
Is that always required? Or am I doing this wrong?
Here is an example where, to make this work, I have to disable enableCsrfValidation inside the Controller via public $enableCsrfValidation = false. This is a Controller that is used to fill in a ActiveRecord for a class that manages a form. The only time this action is taken is by a 3rd party app to send us data. The 3rd party app is sending a user to us. It sends us some POST data so we can figure out who the user is.
public function actionCreate()
{
$model = new DispatchRequestForm();
if (Yii::$app->request->post()) {
$postData = Yii::$app->request->post();
$model->client = ArrayHelper::getValue($postData, 'client', null);
$model->secret = ArrayHelper::getValue($postData, 'secret', null);
$model->request_by = ArrayHelper::getValue($postData, 'request_by', null);
$model->ticket_psa_id = ArrayHelper::getValue($postData, 'ticket_id', null);
$model->type = ArrayHelper::getValue($postData, 'type', null);
}
// saveAll() will delete existing related records, so we exclude those for loadAll() and saveAll()
if ($model->loadAll(Yii::$app->request->post()) && $model->saveAll()) {
$model->user_id = Yii::$app->user->id;
return $this->redirect( ['view', 'id' => $model->id] );
} else {
return $this->render('create', [ 'model' => $model, ]);
}
}