yii - Yii2 How to properly create checkbox column in gridview for bulk actions?

Question

I need to create "bulk actions" similar to wordpress posts management, so you can for example delete multiple records at a time.

This is my approach, and works fine, but I'm sure it is not the best approach, since this method is vulnerable to CSRF hacks.

Checkbox column in a gridview:

GridView::widget([
'dataProvider' => $dataProvider,    
'columns' => [
['class' => 'yiigridCheckboxColumn'],
'id'=>'grid',
'country',
],
]); 

Button that fires a function

<a href="#" onclick="bulkAction('p');">

The function:

<script>
    function bulkAction(a) {
        var keys = $('#grid').yiiGridView('getSelectedRows');
        window.location.href='<?php echo Url::to(['mycontroller/bulk']); ?>&action='+a+'&ids='+keys.join();
    }
</script>

This function creates a url like this:

index.php?r=mycontroller/bulk&action=1&ids=2,6,7,8

PROBLEM IS This approach is vulnerable to CSRF hacks (explained here: http://blog.codinghorror.com/cross-site-request-forgeries-and-you/)

So, what is the PROPER way to do it?

Answer 1

I solved it myself like this:

This way the form gets protected from CSRF and everything goes in a POST request.

This is the view:

<?=Html::beginForm(['controller/bulk'],'post');?>
<?=Html::dropDownList('action','',[''=>'Mark selected as: ','c'=>'Confirmed','nc'=>'No Confirmed'],['class'=>'dropdown',])?>
<?=Html::submitButton('Send', ['class' => 'btn btn-info',]);?>
<?=GridView::widget([
'dataProvider' => $dataProvider,
'columns' => [
['class' => 'yiigridCheckboxColumn'],
'id',
],
]); ?>
<?= Html::endForm();?> 

This is the controller:

public function actionBulk(){
    $action=Yii::$app->request->post('action');
    $selection=(array)Yii::$app->request->post('selection');//typecasting
    foreach($selection as $id){
        $e=Evento::findOne((int)$id);//make a typecasting
        //do your stuff
        $e->save();
    }
    }