/** * @inheritdoc */ public function run($id) { parent::run($id); $this->_model->delete(); \Yii::$app->session->setFlash('success', $this->successMessage); return $this->controller->redirect($this->redirectUrl); }
/** * Is the passed ID valid? * * Validate the id in the URL (the parent function) and then validate the id in the data. * * The data-id check is independent of the config setting `validateId`; this checks whether * the id in the URL matches the id in the submitted data (a type insensitive check). If * the id is different, this probably indicates a malicious form submission, attempting * to add/edit a record the user doesn't have permission for by submitting to a URL they * do have permission to access * * @param mixed $id * @return boolean * @throws BadRequestException If id is invalid */ protected function _validateId($id) { parent::_validateId($id); $request = $this->_request(); if (!$request->data) { return true; } $dataId = null; $model = $this->_model(); $dataId = $request->data($model->alias . '.' . $model->primaryKey) ?: $request->data($model->primaryKey); if ($dataId === null) { return true; } // deliberately type insensitive if ($dataId == $id) { return true; } $this->_trigger('invalidId', array('id' => $dataId)); $message = $this->message('invalidId'); $exceptionClass = $message['class']; throw new $exceptionClass($message['text'], $message['code']); }
/** * @inheritdoc */ public function run($id) { parent::run($id); $viewParam = ['model' => $this->_model]; return \Yii::$app->request->isAjax ? $this->controller->renderAjax($this->view, $viewParam) : $this->controller->render($this->view, $viewParam); }