Re: Authentication redirect problem when not logged in
Aha, a combination of you posts solved this problem ;)
However, I've got another one when trying to log in now. The password
comparing doesn't work. The password values in my database are build up
with the Blowfish hasher. When I'm submitting my login form, it compares
the text value of the password with the Blowfish value of the password and
returns always false.
*CoasterCmsAppController.php*
public $components = array(
'Session',
'Paginator',
'Auth' = array(
'loginAction' = array(
'plugin' = 'coaster_cms',
'controller' = 'users',
'action' = 'login'
),
'loginRedirect' = array(
'plugin' = 'coaster_cms',
'controller' = 'cms_pages',
'action' = 'index'
),
'logoutRedirect' = array(
'plugin' = 'CoasterCms',
'controller' = 'attractions',
'action' = 'index',
),
'authenticate' = array(
'Form' = array(
'passwordHasher' = 'Blowfish'
)
)
)
);
*UsersController.php (controller)*
public function login()
{
$this-layout = 'login';
if ($this-request-is('post')) {
if ($this-Auth-login()) {
return $this-redirect($this-Auth-redirect());
}
$this-Session-setFlash(__('Ongeldige login combinatie.'),
'default', array(
'class' = 'alert alert-danger'
));
}
}
*login.ctp (login view)*
echo $this-Form-create('User', array(
'type' = 'file',
'novalidate' = true, // browser validatie
'inputDefaults' = array(
'label' = true,
'div' = 'form-group',
'class' = 'form-control'
),
'role' = 'form'
));
echo $this-Form-inputs(array(
'legend' = false,
'username' = array(
'label' = 'Gebruikersnaam'
),
'password' = array(
'label' = 'Wachtwoord'
)
));
echo $this-Form-end('Login');
*FYI: User.php (model)*
public function beforeSave($options = array())
{
if (isset($this-data[$this-alias]['password'])) {
$passwordHasher = new BlowfishPasswordHasher();
$this-data[$this-alias]['password'] = $passwordHasher-hash(
$this-data[$this-alias]['password']
);
}
return true;
}
As I read in this StackOverflow post, the password input field should be
converted automatically to the Blowfish hash and after that, the comparing
should be done.
Am I forgetting something crucial?
--
Like Us on FaceBook https://www.facebook.com/CakePHP
Find us on Twitter http://twitter.com/CakePHP
---
You received this message because you are subscribed to the Google Groups
CakePHP group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cake-php+unsubscr...@googlegroups.com.
To post to this group, send email to cake-php@googlegroups.com.
Visit this group at http://groups.google.com/group/cake-php.
For more options, visit https://groups.google.com/d/optout.
Re: Authentication redirect problem when not logged in
Okay, leave it guys! When I've posted my previous question, I suddenly
realised that my database structure reserved 50 characters for the password
field instead of 60. When changing this, it's all working great. Thanks
anyway!!!
Op vrijdag 8 augustus 2014 12:11:38 UTC+2 schreef Sam Clauw:
Aha, a combination of you posts solved this problem ;)
However, I've got another one when trying to log in now. The password
comparing doesn't work. The password values in my database are build up
with the Blowfish hasher. When I'm submitting my login form, it compares
the text value of the password with the Blowfish value of the password and
returns always false.
*CoasterCmsAppController.php*
public $components = array(
'Session',
'Paginator',
'Auth' = array(
'loginAction' = array(
'plugin' = 'coaster_cms',
'controller' = 'users',
'action' = 'login'
),
'loginRedirect' = array(
'plugin' = 'coaster_cms',
'controller' = 'cms_pages',
'action' = 'index'
),
'logoutRedirect' = array(
'plugin' = 'CoasterCms',
'controller' = 'attractions',
'action' = 'index',
),
'authenticate' = array(
'Form' = array(
'passwordHasher' = 'Blowfish'
)
)
)
);
*UsersController.php (controller)*
public function login()
{
$this-layout = 'login';
if ($this-request-is('post')) {
if ($this-Auth-login()) {
return $this-redirect($this-Auth-redirect());
}
$this-Session-setFlash(__('Ongeldige login combinatie.'),
'default', array(
'class' = 'alert alert-danger'
));
}
}
*login.ctp (login view)*
echo $this-Form-create('User', array(
'type' = 'file',
'novalidate' = true, // browser validatie
'inputDefaults' = array(
'label' = true,
'div' = 'form-group',
'class' = 'form-control'
),
'role' = 'form'
));
echo $this-Form-inputs(array(
'legend' = false,
'username' = array(
'label' = 'Gebruikersnaam'
),
'password' = array(
'label' = 'Wachtwoord'
)
));
echo $this-Form-end('Login');
*FYI: User.php (model)*
public function beforeSave($options = array())
{
if (isset($this-data[$this-alias]['password'])) {
$passwordHasher = new BlowfishPasswordHasher();
$this-data[$this-alias]['password'] = $passwordHasher-hash(
$this-data[$this-alias]['password']
);
}
return true;
}
As I read in this StackOverflow post, the password input field should be
converted automatically to the Blowfish hash and after that, the comparing
should be done.
Am I forgetting something crucial?
--
Like Us on FaceBook https://www.facebook.com/CakePHP
Find us on Twitter http://twitter.com/CakePHP
---
You received this message because you are subscribed to the Google Groups
CakePHP group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cake-php+unsubscr...@googlegroups.com.
To post to this group, send email to cake-php@googlegroups.com.
Visit this group at http://groups.google.com/group/cake-php.
For more options, visit https://groups.google.com/d/optout.
Re: authenticate wont reroute
The issue is that the router adding to the subfolder where the project
resides in and not the root dir which I cant access with routing.
I cant get to the desired page for unauthorized users.
Router::connect('/', array('controller' = 'users', 'action' = 'login'));
this routes to crm/crm/... again with the project name repeated and how do
i stop this as this is the problem?
--
Like Us on FaceBook https://www.facebook.com/CakePHP
Find us on Twitter http://twitter.com/CakePHP
---
You received this message because you are subscribed to the Google Groups
CakePHP group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cake-php+unsubscr...@googlegroups.com.
To post to this group, send email to cake-php@googlegroups.com.
Visit this group at http://groups.google.com/group/cake-php.
For more options, visit https://groups.google.com/d/optout.
GET or POST
I'm wondering what everyone is doing about the default links. I'm setting
up an application that has multiple companies with multiple employees. One
company can't see another companies employees.
However, if a manager can display a list of all their employees and edit
them via GET, they can simply change the id in the address bar to pull up
any arbitrary employee from their company or any other company.
If I use a postLink, then the edit page opens blank because
the setFlash(__('The user could not be saved. Please, try again.) is
triggered before the find('list') can fill out the form.
I'm only a couple weeks new to cakephp and am under the impression cakephp
won't allow a is() to validate a particular post name so I can create
actions based on which post is being submitted; self or a view.
I tried to leave the link as GET and encrypt/decrypt, but that continued to
fail.
Please, any suggestions would be great. I can't imagine this security hole
doesn't have an easy fix. I just haven't seen it yet.
Thanks
Steve
--
Like Us on FaceBook https://www.facebook.com/CakePHP
Find us on Twitter http://twitter.com/CakePHP
---
You received this message because you are subscribed to the Google Groups
CakePHP group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cake-php+unsubscr...@googlegroups.com.
To post to this group, send email to cake-php@googlegroups.com.
Visit this group at http://groups.google.com/group/cake-php.
For more options, visit https://groups.google.com/d/optout.
Re: GET or POST
I think you are confusing a few things here.
GET/POST has nothing to do with what pages you can acess.
You should use role (preferred) or row based access control to those forms
and non-public actions.
The type is revelant for what type of action you take.
GET if it does not alter the database (view, index, add/edit for display of
form)
POST to alter the database (add/edit upon save, delete)
mark
Am Freitag, 8. August 2014 17:55:10 UTC+2 schrieb Steve Thomas:
I'm wondering what everyone is doing about the default links. I'm setting
up an application that has multiple companies with multiple employees. One
company can't see another companies employees.
However, if a manager can display a list of all their employees and edit
them via GET, they can simply change the id in the address bar to pull up
any arbitrary employee from their company or any other company.
If I use a postLink, then the edit page opens blank because
the setFlash(__('The user could not be saved. Please, try again.) is
triggered before the find('list') can fill out the form.
I'm only a couple weeks new to cakephp and am under the impression cakephp
won't allow a is() to validate a particular post name so I can create
actions based on which post is being submitted; self or a view.
I tried to leave the link as GET and encrypt/decrypt, but that continued
to fail.
Please, any suggestions would be great. I can't imagine this security hole
doesn't have an easy fix. I just haven't seen it yet.
Thanks
Steve
--
Like Us on FaceBook https://www.facebook.com/CakePHP
Find us on Twitter http://twitter.com/CakePHP
---
You received this message because you are subscribed to the Google Groups
CakePHP group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cake-php+unsubscr...@googlegroups.com.
To post to this group, send email to cake-php@googlegroups.com.
Visit this group at http://groups.google.com/group/cake-php.
For more options, visit https://groups.google.com/d/optout.
Re: Retrieve attachment from a Post - mailgun
Did you ever solve this? Thanks -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups CakePHP group. To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscr...@googlegroups.com. To post to this group, send email to cake-php@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php. For more options, visit https://groups.google.com/d/optout.
Testing controllers - 3.x
Hey good people When i test controllers and want to mock certain methods on the controller, i use -generate(), but i have to also define components that already are defined in the controller, and if i want to use the real components i have to stub out dummy method on the component to make it work. Is this the intended behaviour ? /thomas -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups CakePHP group. To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscr...@googlegroups.com. To post to this group, send email to cake-php@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php. For more options, visit https://groups.google.com/d/optout.
Re: GET or POST
Thanks Mark,
I am using ACL. So for example, if a role such as a manager can list all
the employees of that company, it also adds the Action links (add) (edit)
(delete). If this manager clicks to edit one of the employee (users), this
is sent to the EDIT view via GET with the user id in the address bar
- controller/method/id. All the manager would have to do is change the id
in the address bar to access another user. Possibly a user from a different
company which they shouldn't be able to access.
It's generally not acceptable programming to send account id via GET
because of this security breach. It should always be sent POST. However,
the EDIT form submits to its self and therefore conflicts with other posts.
I was hoping this is such a basic and common flaw that there would be an
easy fix.
I hope that cleared up what I'm trying to accomplish.
Another example is the DELETE link on the same Action with EDIT and ADD
uses postLink() to avoid the id being sent via GET in the address bar.
However, the delete page doesn't have any other POST or self submissions
and no conflicts.
Thanks
Steve
On Friday, August 8, 2014 3:03:57 PM UTC-4, euromark wrote:
I think you are confusing a few things here.
GET/POST has nothing to do with what pages you can acess.
You should use role (preferred) or row based access control to those forms
and non-public actions.
The type is revelant for what type of action you take.
GET if it does not alter the database (view, index, add/edit for display
of form)
POST to alter the database (add/edit upon save, delete)
mark
Am Freitag, 8. August 2014 17:55:10 UTC+2 schrieb Steve Thomas:
I'm wondering what everyone is doing about the default links. I'm setting
up an application that has multiple companies with multiple employees. One
company can't see another companies employees.
However, if a manager can display a list of all their employees and edit
them via GET, they can simply change the id in the address bar to pull up
any arbitrary employee from their company or any other company.
If I use a postLink, then the edit page opens blank because
the setFlash(__('The user could not be saved. Please, try again.) is
triggered before the find('list') can fill out the form.
I'm only a couple weeks new to cakephp and am under the impression
cakephp won't allow a is() to validate a particular post name so I can
create actions based on which post is being submitted; self or a view.
I tried to leave the link as GET and encrypt/decrypt, but that continued
to fail.
Please, any suggestions would be great. I can't imagine this security
hole doesn't have an easy fix. I just haven't seen it yet.
Thanks
Steve
--
Like Us on FaceBook https://www.facebook.com/CakePHP
Find us on Twitter http://twitter.com/CakePHP
---
You received this message because you are subscribed to the Google Groups
CakePHP group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cake-php+unsubscr...@googlegroups.com.
To post to this group, send email to cake-php@googlegroups.com.
Visit this group at http://groups.google.com/group/cake-php.
For more options, visit https://groups.google.com/d/optout.
Re: GET or POST
You should check the ACL in the edit controller action before actually doing anything /thomas On 08 Aug 2014, at 22:33, Steve Thomas smt9...@gmail.com wrote: All the manager would have to do is change the id in the address bar to access another user. Possibly a user from a different company which they shouldn't be able to access. -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups CakePHP group. To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscr...@googlegroups.com. To post to this group, send email to cake-php@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php. For more options, visit https://groups.google.com/d/optout.
Re: GET or POST
You could add a condition like
'conditions' = array(
'Employee.company_id' = $this-Auth-user('company_id')
)
So when changing the id in the url the application still only allows fetch data
which belongs to the same company..
The same applies for delete, just check before if current user has access to
the record to be deleted...
If you need to hide id, then one option is to use uuid() as primary key.
Andras
On Aug 8, 2014, at 1:33 PM, Steve Thomas smt9...@gmail.com wrote:
Thanks Mark,
I am using ACL. So for example, if a role such as a manager can list all the
employees of that company, it also adds the Action links (add) (edit)
(delete). If this manager clicks to edit one of the employee (users), this is
sent to the EDIT view via GET with the user id in the address bar -
controller/method/id. All the manager would have to do is change the id in
the address bar to access another user. Possibly a user from a different
company which they shouldn't be able to access.
It's generally not acceptable programming to send account id via GET because
of this security breach. It should always be sent POST. However, the EDIT
form submits to its self and therefore conflicts with other posts.
I was hoping this is such a basic and common flaw that there would be an easy
fix.
I hope that cleared up what I'm trying to accomplish.
Another example is the DELETE link on the same Action with EDIT and ADD uses
postLink() to avoid the id being sent via GET in the address bar. However,
the delete page doesn't have any other POST or self submissions and no
conflicts.
Thanks
Steve
On Friday, August 8, 2014 3:03:57 PM UTC-4, euromark wrote:
I think you are confusing a few things here.
GET/POST has nothing to do with what pages you can acess.
You should use role (preferred) or row based access control to those forms
and non-public actions.
The type is revelant for what type of action you take.
GET if it does not alter the database (view, index, add/edit for display of
form)
POST to alter the database (add/edit upon save, delete)
mark
Am Freitag, 8. August 2014 17:55:10 UTC+2 schrieb Steve Thomas:
I'm wondering what everyone is doing about the default links. I'm setting up
an application that has multiple companies with multiple employees. One
company can't see another companies employees.
However, if a manager can display a list of all their employees and edit them
via GET, they can simply change the id in the address bar to pull up any
arbitrary employee from their company or any other company.
If I use a postLink, then the edit page opens blank because the
setFlash(__('The user could not be saved. Please, try again.) is triggered
before the find('list') can fill out the form.
I'm only a couple weeks new to cakephp and am under the impression cakephp
won't allow a is() to validate a particular post name so I can create actions
based on which post is being submitted; self or a view.
I tried to leave the link as GET and encrypt/decrypt, but that continued to
fail.
Please, any suggestions would be great. I can't imagine this security hole
doesn't have an easy fix. I just haven't seen it yet.
Thanks
Steve
--
Like Us on FaceBook https://www.facebook.com/CakePHP
Find us on Twitter http://twitter.com/CakePHP
---
You received this message because you are subscribed to the Google Groups
CakePHP group.
To unsubscribe from this group and stop receiving emails from it, send an
email to cake-php+unsubscr...@googlegroups.com.
To post to this group, send email to cake-php@googlegroups.com.
Visit this group at http://groups.google.com/group/cake-php.
For more options, visit https://groups.google.com/d/optout.
--
Like Us on FaceBook https://www.facebook.com/CakePHP
Find us on Twitter http://twitter.com/CakePHP
---
You received this message because you are subscribed to the Google Groups
CakePHP group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cake-php+unsubscr...@googlegroups.com.
To post to this group, send email to cake-php@googlegroups.com.
Visit this group at http://groups.google.com/group/cake-php.
For more options, visit https://groups.google.com/d/optout.
