CSRF protection for direct url access

What do you mean by "direct url access"?

Have you implemented user login/authentication?

If user does not have to log in, effectively, if someone can figure out the URL, they can just browse to it.

If user session authentication is in place, you can put general check in controller __construct method to ensure user has logged in by that point, and on individual controller methods check that user is trying to access/edit their own user profile (or profiles they are allowed to see).