7

I need to create "bulk actions" similar to wordpress posts management, so you can for example delete multiple records at a time.

This is my approach, and works fine, but I'm sure it is not the best approach, since this method is vulnerable to CSRF hacks.

Checkbox column in a gridview:

GridView::widget([
'dataProvider' => $dataProvider,    
'columns' => [
['class' => 'yii\grid\CheckboxColumn'],
'id'=>'grid',
'country',
],
]); 

Button that fires a function

<a href="#" onclick="bulkAction('p');">

The function:

<script>
    function bulkAction(a) {
        var keys = $('#grid').yiiGridView('getSelectedRows');
        window.location.href='<?php echo Url::to(['mycontroller/bulk']); ?>&action='+a+'&ids='+keys.join();
    }
</script>

This function creates a url like this:

index.php?r=mycontroller/bulk&action=1&ids=2,6,7,8

PROBLEM IS This approach is vulnerable to CSRF hacks (explained here: http://blog.codinghorror.com/cross-site-request-forgeries-and-you/)

So, what is the PROPER way to do it?

lalo
  • 901
  • 2
  • 10
  • 15
  • I answered similar question here: http://stackoverflow.com/questions/27397588/yii-2-how-to-bulk-delete-data-in-kartik-grid-view/ – arogachev Mar 11 '15 at 17:59

2 Answers2

12

I solved it myself like this:

This way the form gets protected from CSRF and everything goes in a POST request.

This is the view:

<?=Html::beginForm(['controller/bulk'],'post');?>
<?=Html::dropDownList('action','',[''=>'Mark selected as: ','c'=>'Confirmed','nc'=>'No Confirmed'],['class'=>'dropdown',])?>
<?=Html::submitButton('Send', ['class' => 'btn btn-info',]);?>
<?=GridView::widget([
'dataProvider' => $dataProvider,
'columns' => [
['class' => 'yii\grid\CheckboxColumn'],
'id',
],
]); ?>
<?= Html::endForm();?> 

This is the controller:

public function actionBulk(){
    $action=Yii::$app->request->post('action');
    $selection=(array)Yii::$app->request->post('selection');//typecasting
    foreach($selection as $id){
        $e=Evento::findOne((int)$id);//make a typecasting
        //do your stuff
        $e->save();
    }
    }
lalo
  • 901
  • 2
  • 10
  • 15
0

Well first of all do not do what you do. Like you said that is opened to CRSF. Use POST and not GET to take the values to your controller. arogachev's link and answer might tells you how to do that I believe. 1 additional thing with the CRSF, you can get the CRSF of the page from yii, take a look here Getting bad request (#400) on Ajax calls using Yii 2 but not on the accepted answer (that is mine :)) but to the other one.

Community
  • 1
  • 1
Mihai P.
  • 9,307
  • 3
  • 38
  • 49