Yii2 How to properly create checkbox column in gridview for bulk actions?

Asked 11/3, 2015 at 17:8 Answered 12/3, 2015 at 18:13

I need to create "bulk actions" similar to wordpress posts management, so you can for example delete multiple records at a time.

This is my approach, and works fine, but I'm sure it is not the best approach, since this method is vulnerable to CSRF hacks.

Checkbox column in a gridview:

GridView::widget([
'dataProvider' => $dataProvider,    
'columns' => [
['class' => 'yii\grid\CheckboxColumn'],
'id'=>'grid',
'country',
],
]);

Button that fires a function

<a href="#" onclick="bulkAction('p');">

The function:

<script>
    function bulkAction(a) {
        var keys = $('#grid').yiiGridView('getSelectedRows');
        window.location.href='<?php echo Url::to(['mycontroller/bulk']); ?>&action='+a+'&ids='+keys.join();
    }
</script>

This function creates a url like this:

index.php?r=mycontroller/bulk&action=1&ids=2,6,7,8

PROBLEM IS This approach is vulnerable to CSRF hacks (explained here: http://blog.codinghorror.com/cross-site-request-forgeries-and-you/)

So, what is the PROPER way to do it?

Ogilvy answered 11/3, 2015 at 17:8 Comment(1)

I answered similar question here: #27398088 – Megawatt 11/3, 2015 at 17:59

I solved it myself like this:

This way the form gets protected from CSRF and everything goes in a POST request.

This is the view:

<?=Html::beginForm(['controller/bulk'],'post');?>
<?=Html::dropDownList('action','',[''=>'Mark selected as: ','c'=>'Confirmed','nc'=>'No Confirmed'],['class'=>'dropdown',])?>
<?=Html::submitButton('Send', ['class' => 'btn btn-info',]);?>
<?=GridView::widget([
'dataProvider' => $dataProvider,
'columns' => [
['class' => 'yii\grid\CheckboxColumn'],
'id',
],
]); ?>
<?= Html::endForm();?>

This is the controller:

public function actionBulk(){
    $action=Yii::$app->request->post('action');
    $selection=(array)Yii::$app->request->post('selection');//typecasting
    foreach($selection as $id){
        $e=Evento::findOne((int)$id);//make a typecasting
        //do your stuff
        $e->save();
    }
    }

Ogilvy answered 12/3, 2015 at 18:13 Comment(3)

In controller file, why are you declare $action variable? – Pandich 26/11, 2015 at 9:42

Thanks a lot, it's work well for me. But how do I can show an alert if the user click the button without check any checkbox? Thanks – Geest 2/8, 2017 at 17:17

Well but when you are using GridView inside the Form your filters will not work. How you will fix that? – Vacillating 19/10, 2017 at 13:59

Well first of all do not do what you do. Like you said that is opened to CRSF. Use POST and not GET to take the values to your controller. arogachev's link and answer might tells you how to do that I believe. 1 additional thing with the CRSF, you can get the CRSF of the page from yii, take a look here Getting bad request (#400) on Ajax calls using Yii 2 but not on the accepted answer (that is mine :)) but to the other one.

Backsaw answered 11/3, 2015 at 21:28 Comment(0)

Recommended topics

Hot tags