Re: Security Component is Ruining my Life
On Mon, Oct 27, 2014 at 10:38 PM, Florian Krämer wrote: > I've turned the idea into an implementation. Proof of concept goes here: > https://github.com/burzum/cakephp/commit/9d8f6b4cb7653dd14130af68dbc632e9055d8d76 > > Cool! I will try this out... Tarique -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups "CakePHP" group. To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscr...@googlegroups.com. To post to this group, send email to cake-php@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php. For more options, visit https://groups.google.com/d/optout.
Re: Security Component is Ruining my Life
I've turned the idea into an implementation. Proof of concept goes here: https://github.com/burzum/cakephp/commit/9d8f6b4cb7653dd14130af68dbc632e9055d8d76 This will output the dirty fields as a list below the error message. I hope this is going to make it into the core. :) On Sunday, October 19, 2014 12:26:44 AM UTC+2, glk wrote: > > Florian... What a wonderful idea. > > Just wish I understood all of Cake well enough to help implement. I've > fought with the Security Component many times and, although I've never > lost, it has created many headaches. Hope the Development team can add > this functionality during debugging. > > -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups "CakePHP" group. To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscr...@googlegroups.com. To post to this group, send email to cake-php@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php. For more options, visit https://groups.google.com/d/optout.
Re: Security Component is Ruining my Life
Florian... What a wonderful idea. Just wish I understood all of Cake well enough to help implement. I've fought with the Security Component many times and, although I've never lost, it has created many headaches. Hope the Development team can add this functionality during debugging. -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups "CakePHP" group. To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscr...@googlegroups.com. To post to this group, send email to cake-php@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php. For more options, visit https://groups.google.com/d/optout.
Re: Security Component is Ruining my Life
Mark wouldn't it be possible to keep track of these changes somehow via
debug kit? Save the original keys to session and then do the same
comparison with the data that the security component does but without the
hashing but an array diff instead?
On Friday, September 12, 2014 4:32:32 AM UTC+2, mark_story wrote:
>
> One of the issues with the field hashing is that SecurityComponent doesn't
> know what is wrong either. It just knows that the hash of the data does not
> match what was generated in the past.
>
> -Mark
>
> On Monday, 8 September 2014 21:47:05 UTC-4, #2Will wrote:
>>
>> I've got an app i have been maintaining for a while now. The security
>> component causes more headaches than anything else. In fact, because
>> cakephp is so nice to work with, i think Security Component (SC) causes all
>> the headaches...
>>
>> I've read through the docs a fair bit, i have bits of code scattered
>> around turning off the SC all over the place, which makes me feel sick from
>> 2 points of view:
>>
>> 1. What a mess
>> 2. No SC == not great security.
>>
>>
>> One issue is it doesn't seem to give back enough detail on EXACTLY what
>> went wrong.
>>
>> This morning a form that has no JS has decided to blackhole even though
>> i'm applying the following fugly hack to ask it to leave me alone
>>
>>
>> $this->Security->allowedControllers = array("people");
>> if ( in_array($this->action, array('edit' , 'simport'))){
>> $this->Security->validatePost = false;
>> }
>>
>>
>> I email myself every time these occur. With "details" of the error.
>> Which more or less amount to $type = "auth" - which according to the docs
>> means:
>>
>> "Indicates a form validation error, or a controller/action mismatch
>> error."
>>
>> well, i / JS hasn't messed with the form (that's what form validation is
>> about right?) and that is being disabled anyway, and it's showing the form
>> in the action simport and posting to that action, all in the same
>> controller.
>>
>> adding this deeply depressing line of code makes my basic form work:
>> $this->Components->unload('Security');
>>
>> How can I get much better details of the error? How can I work with SC in
>> a better way so it is generally on, not disabled around the site for
>> assorted poorly understood reasons..?
>>
>> W
>>
>>
--
This email may contain material that is confidential, privileged and/or
work product for the sole use of the intended recipient. Any review,
reliance or distribution by others or forwarding without express permission
is strictly prohibited. If you are not the intended recipient, please
contact the sender and delete all copies.
Cake Development Corporation.
--
Like Us on FaceBook https://www.facebook.com/CakePHP
Find us on Twitter http://twitter.com/CakePHP
---
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cake-php+unsubscr...@googlegroups.com.
To post to this group, send email to cake-php@googlegroups.com.
Visit this group at http://groups.google.com/group/cake-php.
For more options, visit https://groups.google.com/d/optout.
Re: Security Component is Ruining my Life
oh, ok. fair enough if it doesn't know it can't tell me.
On 12 September 2014 12:32, mark_story wrote:
> One of the issues with the field hashing is that SecurityComponent doesn't
> know what is wrong either. It just knows that the hash of the data does not
> match what was generated in the past.
>
> -Mark
>
>
> On Monday, 8 September 2014 21:47:05 UTC-4, #2Will wrote:
>>
>> I've got an app i have been maintaining for a while now. The security
>> component causes more headaches than anything else. In fact, because
>> cakephp is so nice to work with, i think Security Component (SC) causes all
>> the headaches...
>>
>> I've read through the docs a fair bit, i have bits of code scattered
>> around turning off the SC all over the place, which makes me feel sick from
>> 2 points of view:
>>
>> 1. What a mess
>> 2. No SC == not great security.
>>
>>
>> One issue is it doesn't seem to give back enough detail on EXACTLY what
>> went wrong.
>>
>> This morning a form that has no JS has decided to blackhole even though
>> i'm applying the following fugly hack to ask it to leave me alone
>>
>>
>> $this->Security->allowedControllers = array("people");
>> if ( in_array($this->action, array('edit' , 'simport'))){
>> $this->Security->validatePost = false;
>> }
>>
>>
>> I email myself every time these occur. With "details" of the error.
>> Which more or less amount to $type = "auth" - which according to the docs
>> means:
>>
>> "Indicates a form validation error, or a controller/action mismatch
>> error."
>>
>> well, i / JS hasn't messed with the form (that's what form validation is
>> about right?) and that is being disabled anyway, and it's showing the form
>> in the action simport and posting to that action, all in the same
>> controller.
>>
>> adding this deeply depressing line of code makes my basic form work:
>> $this->Components->unload('Security');
>>
>> How can I get much better details of the error? How can I work with SC in
>> a better way so it is generally on, not disabled around the site for
>> assorted poorly understood reasons..?
>>
>> W
>>
>> --
> Like Us on FaceBook https://www.facebook.com/CakePHP
> Find us on Twitter http://twitter.com/CakePHP
>
> ---
> You received this message because you are subscribed to a topic in the
> Google Groups "CakePHP" group.
> To unsubscribe from this topic, visit
> https://groups.google.com/d/topic/cake-php/xCYXAwaj-XI/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
> cake-php+unsubscr...@googlegroups.com.
> To post to this group, send email to cake-php@googlegroups.com.
> Visit this group at http://groups.google.com/group/cake-php.
> For more options, visit https://groups.google.com/d/optout.
>
--
Will Barker
0424 366 468
--
Like Us on FaceBook https://www.facebook.com/CakePHP
Find us on Twitter http://twitter.com/CakePHP
---
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cake-php+unsubscr...@googlegroups.com.
To post to this group, send email to cake-php@googlegroups.com.
Visit this group at http://groups.google.com/group/cake-php.
For more options, visit https://groups.google.com/d/optout.
Re: Security Component is Ruining my Life
One of the issues with the field hashing is that SecurityComponent doesn't
know what is wrong either. It just knows that the hash of the data does not
match what was generated in the past.
-Mark
On Monday, 8 September 2014 21:47:05 UTC-4, #2Will wrote:
>
> I've got an app i have been maintaining for a while now. The security
> component causes more headaches than anything else. In fact, because
> cakephp is so nice to work with, i think Security Component (SC) causes all
> the headaches...
>
> I've read through the docs a fair bit, i have bits of code scattered
> around turning off the SC all over the place, which makes me feel sick from
> 2 points of view:
>
> 1. What a mess
> 2. No SC == not great security.
>
>
> One issue is it doesn't seem to give back enough detail on EXACTLY what
> went wrong.
>
> This morning a form that has no JS has decided to blackhole even though
> i'm applying the following fugly hack to ask it to leave me alone
>
>
> $this->Security->allowedControllers = array("people");
> if ( in_array($this->action, array('edit' , 'simport'))){
> $this->Security->validatePost = false;
> }
>
>
> I email myself every time these occur. With "details" of the error.
> Which more or less amount to $type = "auth" - which according to the docs
> means:
>
> "Indicates a form validation error, or a controller/action mismatch error."
>
> well, i / JS hasn't messed with the form (that's what form validation is
> about right?) and that is being disabled anyway, and it's showing the form
> in the action simport and posting to that action, all in the same
> controller.
>
> adding this deeply depressing line of code makes my basic form work:
> $this->Components->unload('Security');
>
> How can I get much better details of the error? How can I work with SC in
> a better way so it is generally on, not disabled around the site for
> assorted poorly understood reasons..?
>
> W
>
>
--
Like Us on FaceBook https://www.facebook.com/CakePHP
Find us on Twitter http://twitter.com/CakePHP
---
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cake-php+unsubscr...@googlegroups.com.
To post to this group, send email to cake-php@googlegroups.com.
Visit this group at http://groups.google.com/group/cake-php.
For more options, visit https://groups.google.com/d/optout.
Re: Security Component is Ruining my Life
I think my hacks to avoid black holes is a mess. I'm sure the component is
ace.
It does however give off a lot of false positives and looking round the
web, not just for me. With that in mind, it would be awesome if it was
more expressive about what triggered it.
Also, it's awkward having it and then not using it. Once the site gets
hacked, ill have to stand at the front and tell all the others why i didn't
use the security component.
I do a lot of other stuff to white list fields etc to mitigate this (and
the site gets penetration tested and hasn't been completely owned yet) so
there is some effort going into doing it properly.
W
On Tuesday, 9 September 2014 18:23:39 UTC+10, José Lorenzo wrote:
>
> Don't use it if you think it is a mess and not real security.
>
> You can implement secure forms yourself by using field whitelists and a
> csrf token. I rarely use this component and I manage with those pretty fine
>
> On Tuesday, September 9, 2014 3:47:05 AM UTC+2, #2Will wrote:
>>
>> I've got an app i have been maintaining for a while now. The security
>> component causes more headaches than anything else. In fact, because
>> cakephp is so nice to work with, i think Security Component (SC) causes all
>> the headaches...
>>
>> I've read through the docs a fair bit, i have bits of code scattered
>> around turning off the SC all over the place, which makes me feel sick from
>> 2 points of view:
>>
>> 1. What a mess
>> 2. No SC == not great security.
>>
>>
>> One issue is it doesn't seem to give back enough detail on EXACTLY what
>> went wrong.
>>
>> This morning a form that has no JS has decided to blackhole even though
>> i'm applying the following fugly hack to ask it to leave me alone
>>
>>
>> $this->Security->allowedControllers = array("people");
>> if ( in_array($this->action, array('edit' , 'simport'))){
>> $this->Security->validatePost = false;
>> }
>>
>>
>> I email myself every time these occur. With "details" of the error.
>> Which more or less amount to $type = "auth" - which according to the docs
>> means:
>>
>> "Indicates a form validation error, or a controller/action mismatch
>> error."
>>
>> well, i / JS hasn't messed with the form (that's what form validation is
>> about right?) and that is being disabled anyway, and it's showing the form
>> in the action simport and posting to that action, all in the same
>> controller.
>>
>> adding this deeply depressing line of code makes my basic form work:
>> $this->Components->unload('Security');
>>
>> How can I get much better details of the error? How can I work with SC in
>> a better way so it is generally on, not disabled around the site for
>> assorted poorly understood reasons..?
>>
>> W
>>
>>
--
Like Us on FaceBook https://www.facebook.com/CakePHP
Find us on Twitter http://twitter.com/CakePHP
---
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cake-php+unsubscr...@googlegroups.com.
To post to this group, send email to cake-php@googlegroups.com.
Visit this group at http://groups.google.com/group/cake-php.
For more options, visit https://groups.google.com/d/optout.
Re: Security Component is Ruining my Life
Don't use it if you think it is a mess and not real security.
You can implement secure forms yourself by using field whitelists and a
csrf token. I rarely use this component and I manage with those pretty fine
On Tuesday, September 9, 2014 3:47:05 AM UTC+2, #2Will wrote:
>
> I've got an app i have been maintaining for a while now. The security
> component causes more headaches than anything else. In fact, because
> cakephp is so nice to work with, i think Security Component (SC) causes all
> the headaches...
>
> I've read through the docs a fair bit, i have bits of code scattered
> around turning off the SC all over the place, which makes me feel sick from
> 2 points of view:
>
> 1. What a mess
> 2. No SC == not great security.
>
>
> One issue is it doesn't seem to give back enough detail on EXACTLY what
> went wrong.
>
> This morning a form that has no JS has decided to blackhole even though
> i'm applying the following fugly hack to ask it to leave me alone
>
>
> $this->Security->allowedControllers = array("people");
> if ( in_array($this->action, array('edit' , 'simport'))){
> $this->Security->validatePost = false;
> }
>
>
> I email myself every time these occur. With "details" of the error.
> Which more or less amount to $type = "auth" - which according to the docs
> means:
>
> "Indicates a form validation error, or a controller/action mismatch error."
>
> well, i / JS hasn't messed with the form (that's what form validation is
> about right?) and that is being disabled anyway, and it's showing the form
> in the action simport and posting to that action, all in the same
> controller.
>
> adding this deeply depressing line of code makes my basic form work:
> $this->Components->unload('Security');
>
> How can I get much better details of the error? How can I work with SC in
> a better way so it is generally on, not disabled around the site for
> assorted poorly understood reasons..?
>
> W
>
>
--
Like Us on FaceBook https://www.facebook.com/CakePHP
Find us on Twitter http://twitter.com/CakePHP
---
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cake-php+unsubscr...@googlegroups.com.
To post to this group, send email to cake-php@googlegroups.com.
Visit this group at http://groups.google.com/group/cake-php.
For more options, visit https://groups.google.com/d/optout.
Re: Security component and SQL Injection
@Jose: good to know ... logical cause of the dropped table was someone getting their hands on the database login credentials. @Dakota: thanks, will keep an eye out for that, not that it's a factor in this situation. On Friday, June 13, 2014 4:52:22 AM UTC+1, Dakota wrote: > > Just one thing to note is that the updateall method doesn't do all > escaping. -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups "CakePHP" group. To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscr...@googlegroups.com. To post to this group, send email to cake-php@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php. For more options, visit https://groups.google.com/d/optout.
Re: Security component and SQL Injection
Just one thing to note is that the updateall method doesn't do all escaping. -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups "CakePHP" group. To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscr...@googlegroups.com. To post to this group, send email to cake-php@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php. For more options, visit https://groups.google.com/d/optout.
Re: Security component and SQL Injection
As long as you are using the Model API and not passing raw strings of SQL
to it then you should be safe
On Thursday, June 12, 2014 12:56:10 PM UTC+2, phpMagpie wrote:
>
> I personally do not think the site was the victim of an SQL Injection as I
> am not passing any raw queries into the system anywhere. The more
> realistic cause of the problem is I shared phpMyAdmin user details with the
> client and they accidentally deleted the table themselves, or the login
> details were made available to someone else who did this. If this was an
> injection attack, I would expect them to do more than remove one table from
> one database.
>
> I don't like to jump to conclusions though, so just wanted to know if my
> configuration has somehow opened up the possibility of SQL Injection.
>
> Thanks, Paul.
>
> On Thursday, 12 June 2014 11:36:00 UTC+1, José Lorenzo wrote:
>>
>> No, the security component does not prevent you against that. There most
>> be some place where you are passing raw input into a query.
>>
>> On Thursday, June 12, 2014 1:28:03 AM UTC+2, phpMagpie wrote:
>>>
>>> Hi,
>>>
>>> I've just launched a site for a client that had quite a big form in it
>>> that people were spending a long time trying to complete. Because some
>>> people were walking away form the form then coming back later and trying to
>>> submit their security tokens were expiring so the client asked me to
>>> disable security for that form.
>>>
>>> I did the following:
>>> if ($this->request->action == 'add') {
>>> $this->Security->validatePost = false;
>>> $this->Security->csrfCheck = false;
>>> }
>>>
>>> Fast forward to this evening and someone has managed to delete the users
>>> table from the database. Could disabling validatePost and csrfCheck have
>>> allowed someone to do SQL Inject a table drop?
>>>
>>> Thanks,
>>>
>>> Paul.
>>>
>>
--
Like Us on FaceBook https://www.facebook.com/CakePHP
Find us on Twitter http://twitter.com/CakePHP
---
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cake-php+unsubscr...@googlegroups.com.
To post to this group, send email to cake-php@googlegroups.com.
Visit this group at http://groups.google.com/group/cake-php.
For more options, visit https://groups.google.com/d/optout.
Re: Security component and SQL Injection
I personally do not think the site was the victim of an SQL Injection as I
am not passing any raw queries into the system anywhere. The more
realistic cause of the problem is I shared phpMyAdmin user details with the
client and they accidentally deleted the table themselves, or the login
details were made available to someone else who did this. If this was an
injection attack, I would expect them to do more than remove one table from
one database.
I don't like to jump to conclusions though, so just wanted to know if my
configuration has somehow opened up the possibility of SQL Injection.
Thanks, Paul.
On Thursday, 12 June 2014 11:36:00 UTC+1, José Lorenzo wrote:
>
> No, the security component does not prevent you against that. There most
> be some place where you are passing raw input into a query.
>
> On Thursday, June 12, 2014 1:28:03 AM UTC+2, phpMagpie wrote:
>>
>> Hi,
>>
>> I've just launched a site for a client that had quite a big form in it
>> that people were spending a long time trying to complete. Because some
>> people were walking away form the form then coming back later and trying to
>> submit their security tokens were expiring so the client asked me to
>> disable security for that form.
>>
>> I did the following:
>> if ($this->request->action == 'add') {
>> $this->Security->validatePost = false;
>> $this->Security->csrfCheck = false;
>> }
>>
>> Fast forward to this evening and someone has managed to delete the users
>> table from the database. Could disabling validatePost and csrfCheck have
>> allowed someone to do SQL Inject a table drop?
>>
>> Thanks,
>>
>> Paul.
>>
>
--
Like Us on FaceBook https://www.facebook.com/CakePHP
Find us on Twitter http://twitter.com/CakePHP
---
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cake-php+unsubscr...@googlegroups.com.
To post to this group, send email to cake-php@googlegroups.com.
Visit this group at http://groups.google.com/group/cake-php.
For more options, visit https://groups.google.com/d/optout.
Re: Security component and SQL Injection
No, the security component does not prevent you against that. There most be
some place where you are passing raw input into a query.
On Thursday, June 12, 2014 1:28:03 AM UTC+2, phpMagpie wrote:
>
> Hi,
>
> I've just launched a site for a client that had quite a big form in it
> that people were spending a long time trying to complete. Because some
> people were walking away form the form then coming back later and trying to
> submit their security tokens were expiring so the client asked me to
> disable security for that form.
>
> I did the following:
> if ($this->request->action == 'add') {
> $this->Security->validatePost = false;
> $this->Security->csrfCheck = false;
> }
>
> Fast forward to this evening and someone has managed to delete the users
> table from the database. Could disabling validatePost and csrfCheck have
> allowed someone to do SQL Inject a table drop?
>
> Thanks,
>
> Paul.
>
--
Like Us on FaceBook https://www.facebook.com/CakePHP
Find us on Twitter http://twitter.com/CakePHP
---
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cake-php+unsubscr...@googlegroups.com.
To post to this group, send email to cake-php@googlegroups.com.
Visit this group at http://groups.google.com/group/cake-php.
For more options, visit https://groups.google.com/d/optout.
Re: Security component and SQL Injection
Yeah, everything is done via Model::save() and your understanding is the
same as mine.
If anyone does know otherwise would be good to know.
Thanks, Paul.
On Thursday, 12 June 2014 01:17:12 UTC+1, Reuben wrote:
>
> I thought it would more depend on how you are writing changes to the
> database.
>
> If you're going via the model, with ::create and ::save methods, then
> users "shouldn't" be able to inject a truncate or drop. I say "shouldn't"
> because that is my understanding of how it is supposed to work, but I've
> never gone out of my way to test it.
>
> However, if you're using ::query, then that might be possible, if queries
> are not appropriately sanitized.
>
> Regards
> Reuben Helms
>
> On Thursday, 12 June 2014 09:28:03 UTC+10, phpMagpie wrote:
>>
>> Hi,
>>
>> I've just launched a site for a client that had quite a big form in it
>> that people were spending a long time trying to complete. Because some
>> people were walking away form the form then coming back later and trying to
>> submit their security tokens were expiring so the client asked me to
>> disable security for that form.
>>
>> I did the following:
>> if ($this->request->action == 'add') {
>> $this->Security->validatePost = false;
>> $this->Security->csrfCheck = false;
>> }
>>
>> Fast forward to this evening and someone has managed to delete the users
>> table from the database. Could disabling validatePost and csrfCheck have
>> allowed someone to do SQL Inject a table drop?
>>
>> Thanks,
>>
>> Paul.
>>
>
--
Like Us on FaceBook https://www.facebook.com/CakePHP
Find us on Twitter http://twitter.com/CakePHP
---
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cake-php+unsubscr...@googlegroups.com.
To post to this group, send email to cake-php@googlegroups.com.
Visit this group at http://groups.google.com/group/cake-php.
For more options, visit https://groups.google.com/d/optout.
Re: Security component and SQL Injection
I thought it would more depend on how you are writing changes to the
database.
If you're going via the model, with ::create and ::save methods, then users
"shouldn't" be able to inject a truncate or drop. I say "shouldn't"
because that is my understanding of how it is supposed to work, but I've
never gone out of my way to test it.
However, if you're using ::query, then that might be possible, if queries
are not appropriately sanitized.
Regards
Reuben Helms
On Thursday, 12 June 2014 09:28:03 UTC+10, phpMagpie wrote:
>
> Hi,
>
> I've just launched a site for a client that had quite a big form in it
> that people were spending a long time trying to complete. Because some
> people were walking away form the form then coming back later and trying to
> submit their security tokens were expiring so the client asked me to
> disable security for that form.
>
> I did the following:
> if ($this->request->action == 'add') {
> $this->Security->validatePost = false;
> $this->Security->csrfCheck = false;
> }
>
> Fast forward to this evening and someone has managed to delete the users
> table from the database. Could disabling validatePost and csrfCheck have
> allowed someone to do SQL Inject a table drop?
>
> Thanks,
>
> Paul.
>
--
Like Us on FaceBook https://www.facebook.com/CakePHP
Find us on Twitter http://twitter.com/CakePHP
---
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cake-php+unsubscr...@googlegroups.com.
To post to this group, send email to cake-php@googlegroups.com.
Visit this group at http://groups.google.com/group/cake-php.
For more options, visit https://groups.google.com/d/optout.
Re: Security Component Question
Check the Code http://api.cakephp.org/2.4/source-class-SecurityComponent.html#322-338 Blackholing is nothing more than throwing a BadRequestException or triggering a callback. I would not use an exception in that place. On Friday, December 27, 2013 7:37:24 PM UTC+1, advantage+ wrote: > > Is there a way to force call blackhole based on model validation rules? > > > > I have a validation method that I would like to call the blackhole if it > fails. > > > > Thanks, > > Dave > -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups "CakePHP" group. To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscr...@googlegroups.com. To post to this group, send email to cake-php@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php. For more options, visit https://groups.google.com/groups/opt_out.
Re: Security component and data posted from external site
My solution is to receive the post via one action then redirect to the log in
action. Security::unlockedActions doesn't seem to work though (I must be doing
it wrong?); I have to check for the initial action and disable the Security
component. After the redirect the action is different, so the component is
enabled again.
Whilst it's working this doesn't feel like I'm getting it right so would
welcome any tips or guidance.
Jeremy Burns
Class Outfit
http://www.classoutfit.com
On 7 Dec 2012, at 15:14:16, Jeremy Burns wrote:
> I'm using 2.3 beta and the Security component.
>
> I have a site that is posting data to a controller action but the Security
> component blocks the request; so I don't get $this->request->data and the
> code fails.
>
> If I disable the Security component in beforeFilter for this action the data
> gets through OK. The next screen the user sees is a log in screen, but as the
> Security component was disabled when it was created it doesn't contain the
> _tokens so the subsequent log in fails ($this->request->is('post') returns
> false).
>
> I have tried $this->Security->unlockedActions = array('action_name'); but
> that seems to have no effect (it's as if Security component is still active).
>
> Anyone got any clues or advice please?
>
> --
> Like Us on FaceBook https://www.facebook.com/CakePHP
> Find us on Twitter http://twitter.com/CakePHP
>
> ---
> You received this message because you are subscribed to the Google Groups
> "CakePHP" group.
> To post to this group, send email to cake-php@googlegroups.com.
> To unsubscribe from this group, send email to
> cake-php+unsubscr...@googlegroups.com.
> Visit this group at http://groups.google.com/group/cake-php?hl=en.
>
>
--
Like Us on FaceBook https://www.facebook.com/CakePHP
Find us on Twitter http://twitter.com/CakePHP
---
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com.
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com.
Visit this group at http://groups.google.com/group/cake-php?hl=en.
Re: Security Component: blackhole with no, erm, whitehole?
Thanks, Jeremy. I think I'm going to opt for roughly the same thing. Use my pushSSL() function - analogous to your __unforceSSL() - on all controllers that don't require SSL, then use the switching style for those that do require SSL. It just seems weird to me that they have a function in Security which is meant to identify which actions require SSL, but they don't have a native function for pushing people *off* SSL. -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
Re: Security Component: blackhole with no, erm, whitehole?
Here's how I did this on an app (this is 1.3 but I'd guess it'd be fairly easy
to transpose to 2.0 if needed).
In app_controller create a function:
function __requireSecure() {
... conditions to check
... return true if SSL is needed
... return false by default
}
Create two other functions (looking at them they could be merged into a single
function, but hey):
function __forceSSL() {
if (!env('HTTPS') == 1) {
$this->redirect('https://' . env('SERVER_NAME') .
$this->here);
}
}
function __unforceSSL() {
if (env('HTTPS') == 1) {
$this->redirect('http://' . env('SERVER_NAME') .
$this->here);
}
}
Then in beforeFilter:
if ($this->__requireSecure()) {
$this->Security->blackHoleCallback = '__forceSSL';
$this->Security->requireSecure();
} else {
$this->__unforceSSL();
}
This can probably be improved, but it works.
Jeremy Burns
Class Outfit
http://www.classoutfit.com
Jeremy Burns
Class Outfit
http://www.classoutfit.com
On 4 Jan 2012, at 18:05:35, DragonFlyEye wrote:
> Can anyone help me out, here?
>
> --
> Our newest site for the community: CakePHP Video Tutorials
> http://tv.cakephp.org
> Check out the new CakePHP Questions site http://ask.cakephp.org and help
> others with their CakePHP related questions.
>
>
> To unsubscribe from this group, send email to
> cake-php+unsubscr...@googlegroups.com For more options, visit this group at
> http://groups.google.com/group/cake-php
--
Our newest site for the community: CakePHP Video Tutorials
http://tv.cakephp.org
Check out the new CakePHP Questions site http://ask.cakephp.org and help others
with their CakePHP related questions.
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com For more options, visit this group at
http://groups.google.com/group/cake-php
Re: Security Component: blackhole with no, erm, whitehole?
Can anyone help me out, here? -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
Re: Security component and long delays
Thanks Andy. On 13 Oct 2011, at 14:38, AD7six wrote: > > > On Oct 13, 2:13 pm, Jeremy Burns wrote: >> I'm developing a corporate application that'll be used as part of >> people's day jobs. It is not unlikely that they will be in the middle >> of something, lock up their PC and go home for the night. When they >> come back in they'll unlock their PC and want to pick up where they >> left off. If they were in the middle of some data management with >> forms using the security component, the form will look like it's ready >> to go, they'll enter some more data and hit submit but they will be >> immediately blackholed. All they will see is a blank screen and think >> 'bug'. What is the best way of handling this more gracefully? How can >> I direct then to a log in screen or at least an info page? > > Is your app 1.3 based? The short answer is override the blackHole > callback, check the $reason, and then do whatever you want. AFAIK > that's the default behavior (meaning redirect on blackhole) in 2.0 > anyway: > https://github.com/cakephp/cakephp/blob/2.0/lib/Cake/Controller/Component/SecurityComponent.php#L276 > > If you want to be nice - You may want to do some store-form-data-to- > cookie/persistentStorage js so that after reloading the page you have > the possibility to repopulate the form with the data they previously > entered. > > AD > > -- > Our newest site for the community: CakePHP Video Tutorials > http://tv.cakephp.org > Check out the new CakePHP Questions site http://ask.cakephp.org and help > others with their CakePHP related questions. > > > To unsubscribe from this group, send email to > cake-php+unsubscr...@googlegroups.com For more options, visit this group at > http://groups.google.com/group/cake-php -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
Re: Security component and long delays
On Oct 13, 2:13 pm, Jeremy Burns wrote: > I'm developing a corporate application that'll be used as part of > people's day jobs. It is not unlikely that they will be in the middle > of something, lock up their PC and go home for the night. When they > come back in they'll unlock their PC and want to pick up where they > left off. If they were in the middle of some data management with > forms using the security component, the form will look like it's ready > to go, they'll enter some more data and hit submit but they will be > immediately blackholed. All they will see is a blank screen and think > 'bug'. What is the best way of handling this more gracefully? How can > I direct then to a log in screen or at least an info page? Is your app 1.3 based? The short answer is override the blackHole callback, check the $reason, and then do whatever you want. AFAIK that's the default behavior (meaning redirect on blackhole) in 2.0 anyway: https://github.com/cakephp/cakephp/blob/2.0/lib/Cake/Controller/Component/SecurityComponent.php#L276 If you want to be nice - You may want to do some store-form-data-to- cookie/persistentStorage js so that after reloading the page you have the possibility to repopulate the form with the data they previously entered. AD -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
Re: security component
Thanks a lot Jens, I think I'll model it this way. Perhaps using a small ajax popup which contains the token instead of a new frame just asking if the record should be deleted. On 13 Aug., 13:03, Jens Dittrich wrote: > No or it depends on what you want to happen when a delete link is clicked. > No one forces you to commit a delete on a click on a link. As an example, > you could always display a page requesting a confirm for the delete request, > which could carry a token for that request. That way you could not delete by > just firing a get request. -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
Re: security component
No or it depends on what you want to happen when a delete link is clicked. No one forces you to commit a delete on a click on a link. As an example, you could always display a page requesting a confirm for the delete request, which could carry a token for that request. That way you could not delete by just firing a get request. -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
Re: security component
I was able to solve the first question myself:
In my controller actions I allways check if(this->data) before saving
or editing a record.
If variables are passed via get (harmfull link for example), $this-
>data is empty and nothing harmfull can happen.
In other words, without using post method its not possible to add or
edit a record.
Hence, security->requirePost just seems to be neccessary for the
delete actions.
Still, do I have to replace all delete links
with small forms which contain the authentication token?
On Aug 11, 5:54 pm, Özgür Demir wrote:
> Hi every body,
>
> I'm pretty sure this must have been answered somewhere. However I
> wasn't able to find an answer yet. I have two question regarding the
> security component.
>
> 1. Authentification tokens seem to be checked by the security
> component only if data is passed via post. I assume this since my
> delete action is performed through a delete link even if the action is
> protected by the security component. This makes the security component
> useless for CSRF without the use of security->requirePost(). Am I
> right with this?
>
> 2. Its obvious that my "add/edit" links are not working if using
> requirePost('add','edit'), I could solve this by adding
> requirePost('add','edit') only if data is submitted by the user like
> this:
>
> in beforeFilter
> if(this->data){
> security->requirePots('add,'edit')
>
> }
>
> But how do I handle the delete links? Do I have to replace all of them
> with small forms which contain the authentication token?
>
> Thanks for your help...
--
Our newest site for the community: CakePHP Video Tutorials
http://tv.cakephp.org
Check out the new CakePHP Questions site http://ask.cakephp.org and help others
with their CakePHP related questions.
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com For more options, visit this group at
http://groups.google.com/group/cake-php
Re: Security component and HTTP Basic Authentication
Actually - he asked for http basic digest authentication. Meaning all
of his "protected" pages will pop up the browser credential window
instead of the html form based login that auth promotes. Before you
criticize the poster for "making zero sense" and not having "read your
own question" maybe you should re-read the question once prior to
inserting your foot into your mouth..
On Apr 6, 6:41 am, "Krissy Masters"
wrote:
> Are you talking actions or pages?
>
> If you do not want something accessed then you can _preUnderscoreTheName so
> not accessable via url.
>
> Your building a site that has many pages but only 1 page you can visit
> publically but no login to the other pages so they are never accessable by
> anyone makes zero sense...have you read your own question?
>
> -Original Message-
> From: cake-php@googlegroups.com [mailto:cake-php@googlegroups.com] On Behalf
>
> Of Mariano C.
> Sent: Wednesday, April 06, 2011 7:17 AM
> To: CakePHP
> Subject: Re: Security component and HTTP Basic Authentication
>
> I don't need a complete mechanism of authentication.
> I just want to protect every action with http basic and leave just one
> action unprotected.
>
> As soon add Auth component I should create users table and so on, and
> I would avoid this.
>
> On 6 Apr, 10:01, "Mariano C." wrote:
> > So I need in couple Auth and Security component?
>
> > On 6 Apr, 09:54, "Krissy Masters" wrote:
>
> > > $this->Auth->allowedActions = array(); //will allow nothing
>
> > > $this->Auth->allowedActions = array('login'); //only allow the action in
> the
> > > array
>
> > > These are set in the controller itself so you could specify just the 1
> > > allowed action for that controller.
>
> > > K
>
> > > -Original Message-
> > > From: cake-php@googlegroups.com [mailto:cake-php@googlegroups.com] On
> Behalf
>
> > > Of Mariano C.
> > > Sent: Wednesday, April 06, 2011 5:13 AM
> > > To: CakePHP
> > > Subject: Security component and HTTP Basic Authentication
>
> > > I've read this
> articlehttp://book.cakephp.org/view/1309/Basic-HTTP-Authentication
>
> > > Now I've a lot of controller with many actions to protect, so I could
> > > consider the idea to insert that beforeFilter directly inside
> > > AppController (and not in the single controller), so every action will
> > > be protected. Am I right?
>
> > > Now I have just one action that doesn't need authentication, what
> > > should I write inside that action to avoid auth
>
> > > --
> > > Our newest site for the community: CakePHP Video
> Tutorialshttp://tv.cakephp.org
> > > Check out the new CakePHP Questions sitehttp://ask.cakephp.organdhelp
> > > others with their CakePHP related questions.
>
> > > To unsubscribe from this group, send email to
> > > cake-php+unsubscr...@googlegroups.com For more options, visit this group
> athttp://groups.google.com/group/cake-php
>
> --
> Our newest site for the community: CakePHP Video
> Tutorialshttp://tv.cakephp.org
> Check out the new CakePHP Questions sitehttp://ask.cakephp.organd help
> others with their CakePHP related questions.
>
> To unsubscribe from this group, send email to
> cake-php+unsubscr...@googlegroups.com For more options, visit this group
> athttp://groups.google.com/group/cake-php
--
Our newest site for the community: CakePHP Video Tutorials
http://tv.cakephp.org
Check out the new CakePHP Questions site http://ask.cakephp.org and help others
with their CakePHP related questions.
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com For more options, visit this group at
http://groups.google.com/group/cake-php
RE: Security component and HTTP Basic Authentication
Are you talking actions or pages?
If you do not want something accessed then you can _preUnderscoreTheName so
not accessable via url.
Your building a site that has many pages but only 1 page you can visit
publically but no login to the other pages so they are never accessable by
anyone makes zero sense...have you read your own question?
-Original Message-
From: cake-php@googlegroups.com [mailto:cake-php@googlegroups.com] On Behalf
Of Mariano C.
Sent: Wednesday, April 06, 2011 7:17 AM
To: CakePHP
Subject: Re: Security component and HTTP Basic Authentication
I don't need a complete mechanism of authentication.
I just want to protect every action with http basic and leave just one
action unprotected.
As soon add Auth component I should create users table and so on, and
I would avoid this.
On 6 Apr, 10:01, "Mariano C." wrote:
> So I need in couple Auth and Security component?
>
> On 6 Apr, 09:54, "Krissy Masters" wrote:
>
>
>
>
>
>
>
> > $this->Auth->allowedActions = array(); //will allow nothing
>
> > $this->Auth->allowedActions = array('login'); //only allow the action in
the
> > array
>
> > These are set in the controller itself so you could specify just the 1
> > allowed action for that controller.
>
> > K
>
> > -Original Message-
> > From: cake-php@googlegroups.com [mailto:cake-php@googlegroups.com] On
Behalf
>
> > Of Mariano C.
> > Sent: Wednesday, April 06, 2011 5:13 AM
> > To: CakePHP
> > Subject: Security component and HTTP Basic Authentication
>
> > I've read this
articlehttp://book.cakephp.org/view/1309/Basic-HTTP-Authentication
>
> > Now I've a lot of controller with many actions to protect, so I could
> > consider the idea to insert that beforeFilter directly inside
> > AppController (and not in the single controller), so every action will
> > be protected. Am I right?
>
> > Now I have just one action that doesn't need authentication, what
> > should I write inside that action to avoid auth
>
> > --
> > Our newest site for the community: CakePHP Video
Tutorialshttp://tv.cakephp.org
> > Check out the new CakePHP Questions sitehttp://ask.cakephp.organdhelp
> > others with their CakePHP related questions.
>
> > To unsubscribe from this group, send email to
> > cake-php+unsubscr...@googlegroups.com For more options, visit this group
athttp://groups.google.com/group/cake-php
--
Our newest site for the community: CakePHP Video Tutorials
http://tv.cakephp.org
Check out the new CakePHP Questions site http://ask.cakephp.org and help
others with their CakePHP related questions.
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com For more options, visit this group at
http://groups.google.com/group/cake-php
--
Our newest site for the community: CakePHP Video Tutorials
http://tv.cakephp.org
Check out the new CakePHP Questions site http://ask.cakephp.org and help others
with their CakePHP related questions.
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com For more options, visit this group at
http://groups.google.com/group/cake-php
RE: Security component and HTTP Basic Authentication
Correct
Auth is for User authentication (login / out)
Security for security of the forms basically
-Original Message-
From: cake-php@googlegroups.com [mailto:cake-php@googlegroups.com] On Behalf
Of Mariano C.
Sent: Wednesday, April 06, 2011 5:32 AM
To: CakePHP
Subject: Re: Security component and HTTP Basic Authentication
So I need in couple Auth and Security component?
On 6 Apr, 09:54, "Krissy Masters" wrote:
> $this->Auth->allowedActions = array(); //will allow nothing
>
> $this->Auth->allowedActions = array('login'); //only allow the action in
the
> array
>
> These are set in the controller itself so you could specify just the 1
> allowed action for that controller.
>
> K
>
>
>
>
>
>
>
> -Original Message-
> From: cake-php@googlegroups.com [mailto:cake-php@googlegroups.com] On
Behalf
>
> Of Mariano C.
> Sent: Wednesday, April 06, 2011 5:13 AM
> To: CakePHP
> Subject: Security component and HTTP Basic Authentication
>
> I've read this
articlehttp://book.cakephp.org/view/1309/Basic-HTTP-Authentication
>
> Now I've a lot of controller with many actions to protect, so I could
> consider the idea to insert that beforeFilter directly inside
> AppController (and not in the single controller), so every action will
> be protected. Am I right?
>
> Now I have just one action that doesn't need authentication, what
> should I write inside that action to avoid auth
>
> --
> Our newest site for the community: CakePHP Video
Tutorialshttp://tv.cakephp.org
> Check out the new CakePHP Questions sitehttp://ask.cakephp.organd help
> others with their CakePHP related questions.
>
> To unsubscribe from this group, send email to
> cake-php+unsubscr...@googlegroups.com For more options, visit this group
athttp://groups.google.com/group/cake-php
--
Our newest site for the community: CakePHP Video Tutorials
http://tv.cakephp.org
Check out the new CakePHP Questions site http://ask.cakephp.org and help
others with their CakePHP related questions.
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com For more options, visit this group at
http://groups.google.com/group/cake-php
--
Our newest site for the community: CakePHP Video Tutorials
http://tv.cakephp.org
Check out the new CakePHP Questions site http://ask.cakephp.org and help others
with their CakePHP related questions.
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com For more options, visit this group at
http://groups.google.com/group/cake-php
Re: Security component and HTTP Basic Authentication
I don't need a complete mechanism of authentication.
I just want to protect every action with http basic and leave just one
action unprotected.
As soon add Auth component I should create users table and so on, and
I would avoid this.
On 6 Apr, 10:01, "Mariano C." wrote:
> So I need in couple Auth and Security component?
>
> On 6 Apr, 09:54, "Krissy Masters" wrote:
>
>
>
>
>
>
>
> > $this->Auth->allowedActions = array(); //will allow nothing
>
> > $this->Auth->allowedActions = array('login'); //only allow the action in the
> > array
>
> > These are set in the controller itself so you could specify just the 1
> > allowed action for that controller.
>
> > K
>
> > -Original Message-
> > From: cake-php@googlegroups.com [mailto:cake-php@googlegroups.com] On Behalf
>
> > Of Mariano C.
> > Sent: Wednesday, April 06, 2011 5:13 AM
> > To: CakePHP
> > Subject: Security component and HTTP Basic Authentication
>
> > I've read this
> > articlehttp://book.cakephp.org/view/1309/Basic-HTTP-Authentication
>
> > Now I've a lot of controller with many actions to protect, so I could
> > consider the idea to insert that beforeFilter directly inside
> > AppController (and not in the single controller), so every action will
> > be protected. Am I right?
>
> > Now I have just one action that doesn't need authentication, what
> > should I write inside that action to avoid auth
>
> > --
> > Our newest site for the community: CakePHP Video
> > Tutorialshttp://tv.cakephp.org
> > Check out the new CakePHP Questions sitehttp://ask.cakephp.organdhelp
> > others with their CakePHP related questions.
>
> > To unsubscribe from this group, send email to
> > cake-php+unsubscr...@googlegroups.com For more options, visit this group
> > athttp://groups.google.com/group/cake-php
--
Our newest site for the community: CakePHP Video Tutorials
http://tv.cakephp.org
Check out the new CakePHP Questions site http://ask.cakephp.org and help others
with their CakePHP related questions.
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com For more options, visit this group at
http://groups.google.com/group/cake-php
Re: Security component and HTTP Basic Authentication
So I need in couple Auth and Security component?
On 6 Apr, 09:54, "Krissy Masters" wrote:
> $this->Auth->allowedActions = array(); //will allow nothing
>
> $this->Auth->allowedActions = array('login'); //only allow the action in the
> array
>
> These are set in the controller itself so you could specify just the 1
> allowed action for that controller.
>
> K
>
>
>
>
>
>
>
> -Original Message-
> From: cake-php@googlegroups.com [mailto:cake-php@googlegroups.com] On Behalf
>
> Of Mariano C.
> Sent: Wednesday, April 06, 2011 5:13 AM
> To: CakePHP
> Subject: Security component and HTTP Basic Authentication
>
> I've read this
> articlehttp://book.cakephp.org/view/1309/Basic-HTTP-Authentication
>
> Now I've a lot of controller with many actions to protect, so I could
> consider the idea to insert that beforeFilter directly inside
> AppController (and not in the single controller), so every action will
> be protected. Am I right?
>
> Now I have just one action that doesn't need authentication, what
> should I write inside that action to avoid auth
>
> --
> Our newest site for the community: CakePHP Video
> Tutorialshttp://tv.cakephp.org
> Check out the new CakePHP Questions sitehttp://ask.cakephp.organd help
> others with their CakePHP related questions.
>
> To unsubscribe from this group, send email to
> cake-php+unsubscr...@googlegroups.com For more options, visit this group
> athttp://groups.google.com/group/cake-php
--
Our newest site for the community: CakePHP Video Tutorials
http://tv.cakephp.org
Check out the new CakePHP Questions site http://ask.cakephp.org and help others
with their CakePHP related questions.
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com For more options, visit this group at
http://groups.google.com/group/cake-php
RE: Security component and HTTP Basic Authentication
$this->Auth->allowedActions = array(); //will allow nothing
$this->Auth->allowedActions = array('login'); //only allow the action in the
array
These are set in the controller itself so you could specify just the 1
allowed action for that controller.
K
-Original Message-
From: cake-php@googlegroups.com [mailto:cake-php@googlegroups.com] On Behalf
Of Mariano C.
Sent: Wednesday, April 06, 2011 5:13 AM
To: CakePHP
Subject: Security component and HTTP Basic Authentication
I've read this article
http://book.cakephp.org/view/1309/Basic-HTTP-Authentication
Now I've a lot of controller with many actions to protect, so I could
consider the idea to insert that beforeFilter directly inside
AppController (and not in the single controller), so every action will
be protected. Am I right?
Now I have just one action that doesn't need authentication, what
should I write inside that action to avoid auth
--
Our newest site for the community: CakePHP Video Tutorials
http://tv.cakephp.org
Check out the new CakePHP Questions site http://ask.cakephp.org and help
others with their CakePHP related questions.
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com For more options, visit this group at
http://groups.google.com/group/cake-php
--
Our newest site for the community: CakePHP Video Tutorials
http://tv.cakephp.org
Check out the new CakePHP Questions site http://ask.cakephp.org and help others
with their CakePHP related questions.
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com For more options, visit this group at
http://groups.google.com/group/cake-php
RE: Security Component
Right on thanks for that bit. I am not modifying any of the forms, simply AJAX submit. But 1 thing that has me puzzled was I added Security component, used firebug to edit the hash value, change a few field names / values and it still submitted fine (no blackholes) so that where I was getting all this Security chatter about. It seemed to do nothing. It did not blackhole / break anything but it also did not "secure" the form either. Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
Re: Security Component
it depends on what you are doing if you simply post static forms, thats fine the problems start as soon as you modify the forms via javascript/ jquery if add or remove inputs and this will most certainly result in blackholes you would need to exclude those fields manually On 9 Nov., 17:33, "Dave Maharaj" wrote: > No one specific. Just google it and found blackholes request (I call that > not working) or use $this->Security->validatePost = false; which tells > security not to validate which also means its not working (do nothing) > > Maybe for certain actions? I don’t know...im just trying to see what will > and will not work. > > Im simply sending forms ajax with jquery.form pluging > > All my stuff works that’s why im wondering. > > > > > > > > -Original Message- > From: robust solution [mailto:hussein_elhar...@yahoo.com] > Sent: November-09-10 4:36 AM > To: CakePHP > Subject: Re: Security Component > > sorry man but who told you that security component and AJAX do not > work? > > On Nov 8, 10:18 pm, "Dave Maharaj" wrote: > > Ok from what I have read using Security Component with AJAX request will > not > > work. > > > So I never added it to my app_controller, then today I decided lets see > what > > happens so sure enough my forms all get the security div > > > > name="_method"> > value="6ed5415b7526befab1ec093cac8ccd45255daba7" > > name="data[_Token][key]"> > > > Now just for fun I tested my forms that use ajax and they all submit fine. > > > So what I was reading saying it will not work are they saying it will not > > work as in the security feature will not work (it wont secure the forms) > or > > it will not work as in your forms will never submit? > > > Dave > > Check out the new CakePHP Questions sitehttp://cakeqs.organd help others > with their CakePHP related questions. > > You received this message because you are subscribed to the Google Groups > "CakePHP" group. > To post to this group, send email to cake-php@googlegroups.com > To unsubscribe from this group, send email to > cake-php+unsubscr...@googlegroups.com For more options, visit this group > athttp://groups.google.com/group/cake-php?hl=en Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
RE: Security Component
No one specific. Just google it and found blackholes request (I call that not working) or use $this->Security->validatePost = false; which tells security not to validate which also means its not working (do nothing) Maybe for certain actions? I don’t know...im just trying to see what will and will not work. Im simply sending forms ajax with jquery.form pluging All my stuff works that’s why im wondering. -Original Message- From: robust solution [mailto:hussein_elhar...@yahoo.com] Sent: November-09-10 4:36 AM To: CakePHP Subject: Re: Security Component sorry man but who told you that security component and AJAX do not work? On Nov 8, 10:18 pm, "Dave Maharaj" wrote: > Ok from what I have read using Security Component with AJAX request will not > work. > > So I never added it to my app_controller, then today I decided lets see what > happens so sure enough my forms all get the security div > > name="_method"> value="6ed5415b7526befab1ec093cac8ccd45255daba7" > name="data[_Token][key]"> > > Now just for fun I tested my forms that use ajax and they all submit fine. > > So what I was reading saying it will not work are they saying it will not > work as in the security feature will not work (it wont secure the forms) or > it will not work as in your forms will never submit? > > Dave Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
Re: Security Component
sorry man but who told you that security component and AJAX do not work? On Nov 8, 10:18 pm, "Dave Maharaj" wrote: > Ok from what I have read using Security Component with AJAX request will not > work. > > So I never added it to my app_controller, then today I decided lets see what > happens so sure enough my forms all get the security div > > name="_method"> value="6ed5415b7526befab1ec093cac8ccd45255daba7" > name="data[_Token][key]"> > > Now just for fun I tested my forms that use ajax and they all submit fine. > > So what I was reading saying it will not work are they saying it will not > work as in the security feature will not work (it wont secure the forms) or > it will not work as in your forms will never submit? > > Dave Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
Re: Security Component
It has been a while but usually the response would just be empty, even if I was setting data. On Nov 8, 3:49 pm, "Dave Maharaj" wrote: > All my responses are JSON with true / false then do something like you said. > I was just curious as everything I seem to have found says Security > Component will not work so just trying to get an answer on what exactly > "will not work" means. > > ? The component will add the Token / hash but its not checked ? > ? The whole thing will fail ? > ? The component does nothing ? > > So far in my testing everything still works but if I edit the form with > firebug it still submits (my validation returns JSON response error ) so I > guess the security component does nothing. So far no blackhole / whitepage > errors though. > > Just curious is all. > > Thanks, > > Dave > > -Original Message- > From: Miles J [mailto:mileswjohn...@gmail.com] > Sent: November-08-10 7:58 PM > To: CakePHP > Subject: Re: Security Component > > Most of the time it will not validate and blackhole (throw a > whitepage), it was easiest to just disabled it in AJAX calls. > > $this->Security->validatePost = false; > > We dont need validation in AJAX anyways as we usually need some sort > of json response. > > On Nov 8, 2:18 pm, "Dave Maharaj" wrote: > > Ok from what I have read using Security Component with AJAX request will > not > > work. > > > So I never added it to my app_controller, then today I decided lets see > what > > happens so sure enough my forms all get the security div > > > > name="_method"> > value="6ed5415b7526befab1ec093cac8ccd45255daba7" > > name="data[_Token][key]"> > > > Now just for fun I tested my forms that use ajax and they all submit fine. > > > So what I was reading saying it will not work are they saying it will not > > work as in the security feature will not work (it wont secure the forms) > or > > it will not work as in your forms will never submit? > > > Dave > > Check out the new CakePHP Questions sitehttp://cakeqs.organd help others > with their CakePHP related questions. > > You received this message because you are subscribed to the Google Groups > "CakePHP" group. > To post to this group, send email to cake-php@googlegroups.com > To unsubscribe from this group, send email to > cake-php+unsubscr...@googlegroups.com For more options, visit this group > athttp://groups.google.com/group/cake-php?hl=en Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
RE: Security Component
All my responses are JSON with true / false then do something like you said. I was just curious as everything I seem to have found says Security Component will not work so just trying to get an answer on what exactly "will not work" means. ? The component will add the Token / hash but its not checked ? ? The whole thing will fail ? ? The component does nothing ? So far in my testing everything still works but if I edit the form with firebug it still submits (my validation returns JSON response error ) so I guess the security component does nothing. So far no blackhole / whitepage errors though. Just curious is all. Thanks, Dave -Original Message- From: Miles J [mailto:mileswjohn...@gmail.com] Sent: November-08-10 7:58 PM To: CakePHP Subject: Re: Security Component Most of the time it will not validate and blackhole (throw a whitepage), it was easiest to just disabled it in AJAX calls. $this->Security->validatePost = false; We dont need validation in AJAX anyways as we usually need some sort of json response. On Nov 8, 2:18 pm, "Dave Maharaj" wrote: > Ok from what I have read using Security Component with AJAX request will not > work. > > So I never added it to my app_controller, then today I decided lets see what > happens so sure enough my forms all get the security div > > name="_method"> value="6ed5415b7526befab1ec093cac8ccd45255daba7" > name="data[_Token][key]"> > > Now just for fun I tested my forms that use ajax and they all submit fine. > > So what I was reading saying it will not work are they saying it will not > work as in the security feature will not work (it wont secure the forms) or > it will not work as in your forms will never submit? > > Dave Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
Re: Security Component
Most of the time it will not validate and blackhole (throw a whitepage), it was easiest to just disabled it in AJAX calls. $this->Security->validatePost = false; We dont need validation in AJAX anyways as we usually need some sort of json response. On Nov 8, 2:18 pm, "Dave Maharaj" wrote: > Ok from what I have read using Security Component with AJAX request will not > work. > > So I never added it to my app_controller, then today I decided lets see what > happens so sure enough my forms all get the security div > > name="_method"> value="6ed5415b7526befab1ec093cac8ccd45255daba7" > name="data[_Token][key]"> > > Now just for fun I tested my forms that use ajax and they all submit fine. > > So what I was reading saying it will not work are they saying it will not > work as in the security feature will not work (it wont secure the forms) or > it will not work as in your forms will never submit? > > Dave Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
Re: Security component and the dreaded blackhole
i always hated the security component for that had similar issues some time ago. debugging is almost impossible^^ at least in debug > 0 it should not blackhole completely (but maybe throw some errors or whatever) if there is such an option i didnt find it yet On 20 Okt., 22:43, austin wrote: > i just spent an hour trying to debug a similar situation... i finally > noticed that i forgot to put echo $form->end() at the end of the > form... > > On Sep 19, 1:22 am, Jeremy Burns | Class Outfit > > > > wrote: > > Yup - I know all this and if you read the post you'll see that I am using > > the form helper and am not using javascript. My question was "how do you > > debug an issue with the Security component?". > > > Jeremy Burns > > Class Outfit > > > jeremybu...@classoutfit.comhttp://www.classoutfit.com > > > On 18 Sep 2010, at 21:33, bwelli...@gmail.com wrote: > > > > When using the Security Component you must use the FormHelper to > > > create your forms. The Security Component looks for certain indicators > > > that are created and managed by the FormHelper (especially those > > > created in create() and end()). Dynamically altering the fields that > > > are submitted in a POST request (e.g. disabling, deleting or creating > > > new fields via JavaScript) is likely to trigger a black-holing of the > > > request. See the $validatePost or $disabledFields configuration > > > parameters. > > > >http://book.cakephp.org/view/1296/Security-Component > > > > On Sep 8, 10:52 am, Jeremy Burns | Class Outfit > > > wrote: > > >> Yup - all the way through. No java or funny stuff either. > > > >> Jeremy Burns > > >> Class Outfit > > > >> jeremybu...@classoutfit.comhttp://www.classoutfit.com > > > >> On 8 Sep 2010, at 18:20, Miles J wrote: > > > >>> Are you creating input fields without the form helper? > > > >>>http://milesj.me/blog/read/43/Protecting-Your-Forms-With-The-Security... > > > >>> On Sep 8, 8:03 am, Jeremy Burns wrote: > > I have enabled the Security component in my app_controller and mostly > > this works just fine. But I have one particular view that falls into > > the blackhole when its form is posted. It works fine if I type > > $this->Security->validatePost = false; into the beforeFilter() of the > > > controller. > > > I can't see anything particularly odd about the form, and without > > posting reams of code - how does one go about debugging this? > > > >>> Check out the new CakePHP Questions sitehttp://cakeqs.organdhelpothers > > >>> with their CakePHP related questions. > > > >>> You received this message because you are subscribed to the Google > > >>> Groups "CakePHP" group. > > >>> To post to this group, send email to cake-php@googlegroups.com > > >>> To unsubscribe from this group, send email to > > >>> cake-php+unsubscr...@googlegroups.com For more options, visit this > > >>> group athttp://groups.google.com/group/cake-php?hl=en > > > > Check out the new CakePHP Questions sitehttp://cakeqs.organdhelp others > > > with their CakePHP related questions. > > > > You received this message because you are subscribed to the Google Groups > > > "CakePHP" group. > > > To post to this group, send email to cake-php@googlegroups.com > > > To unsubscribe from this group, send email to > > > cake-php+unsubscr...@googlegroups.com For more options, visit this group > > > athttp://groups.google.com/group/cake-php?hl=en Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
Re: Security component and the dreaded blackhole
i just spent an hour trying to debug a similar situation... i finally noticed that i forgot to put echo $form->end() at the end of the form... On Sep 19, 1:22 am, Jeremy Burns | Class Outfit wrote: > Yup - I know all this and if you read the post you'll see that I am using the > form helper and am not using javascript. My question was "how do you debug an > issue with the Security component?". > > Jeremy Burns > Class Outfit > > jeremybu...@classoutfit.comhttp://www.classoutfit.com > > On 18 Sep 2010, at 21:33, bwelli...@gmail.com wrote: > > > When using the Security Component you must use the FormHelper to > > create your forms. The Security Component looks for certain indicators > > that are created and managed by the FormHelper (especially those > > created in create() and end()). Dynamically altering the fields that > > are submitted in a POST request (e.g. disabling, deleting or creating > > new fields via JavaScript) is likely to trigger a black-holing of the > > request. See the $validatePost or $disabledFields configuration > > parameters. > > >http://book.cakephp.org/view/1296/Security-Component > > > On Sep 8, 10:52 am, Jeremy Burns | Class Outfit > > wrote: > >> Yup - all the way through. No java or funny stuff either. > > >> Jeremy Burns > >> Class Outfit > > >> jeremybu...@classoutfit.comhttp://www.classoutfit.com > > >> On 8 Sep 2010, at 18:20, Miles J wrote: > > >>> Are you creating input fields without the form helper? > > >>>http://milesj.me/blog/read/43/Protecting-Your-Forms-With-The-Security... > > >>> On Sep 8, 8:03 am, Jeremy Burns wrote: > I have enabled the Security component in my app_controller and mostly > this works just fine. But I have one particular view that falls into > the blackhole when its form is posted. It works fine if I type > $this->Security->validatePost = false; into the beforeFilter() of the > > controller. > > I can't see anything particularly odd about the form, and without > posting reams of code - how does one go about debugging this? > > >>> Check out the new CakePHP Questions sitehttp://cakeqs.organdhelp others > >>> with their CakePHP related questions. > > >>> You received this message because you are subscribed to the Google Groups > >>> "CakePHP" group. > >>> To post to this group, send email to cake-php@googlegroups.com > >>> To unsubscribe from this group, send email to > >>> cake-php+unsubscr...@googlegroups.com For more options, visit this group > >>> athttp://groups.google.com/group/cake-php?hl=en > > > Check out the new CakePHP Questions sitehttp://cakeqs.organd help others > > with their CakePHP related questions. > > > You received this message because you are subscribed to the Google Groups > > "CakePHP" group. > > To post to this group, send email to cake-php@googlegroups.com > > To unsubscribe from this group, send email to > > cake-php+unsubscr...@googlegroups.com For more options, visit this group > > athttp://groups.google.com/group/cake-php?hl=en Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
Re: Security component and the dreaded blackhole
Yup - I know all this and if you read the post you'll see that I am using the form helper and am not using javascript. My question was "how do you debug an issue with the Security component?". Jeremy Burns Class Outfit jeremybu...@classoutfit.com http://www.classoutfit.com On 18 Sep 2010, at 21:33, bwelli...@gmail.com wrote: > When using the Security Component you must use the FormHelper to > create your forms. The Security Component looks for certain indicators > that are created and managed by the FormHelper (especially those > created in create() and end()). Dynamically altering the fields that > are submitted in a POST request (e.g. disabling, deleting or creating > new fields via JavaScript) is likely to trigger a black-holing of the > request. See the $validatePost or $disabledFields configuration > parameters. > > http://book.cakephp.org/view/1296/Security-Component > > > On Sep 8, 10:52 am, Jeremy Burns | Class Outfit > wrote: >> Yup - all the way through. No java or funny stuff either. >> >> Jeremy Burns >> Class Outfit >> >> jeremybu...@classoutfit.comhttp://www.classoutfit.com >> >> On 8 Sep 2010, at 18:20, Miles J wrote: >> >>> Are you creating input fields without the form helper? >> >>> http://milesj.me/blog/read/43/Protecting-Your-Forms-With-The-Security... >> >>> On Sep 8, 8:03 am, Jeremy Burns wrote: I have enabled the Security component in my app_controller and mostly this works just fine. But I have one particular view that falls into the blackhole when its form is posted. It works fine if I type $this->Security->validatePost = false; into the beforeFilter() of the >> controller. >> I can't see anything particularly odd about the form, and without posting reams of code - how does one go about debugging this? >> >>> Check out the new CakePHP Questions sitehttp://cakeqs.organd help others >>> with their CakePHP related questions. >> >>> You received this message because you are subscribed to the Google Groups >>> "CakePHP" group. >>> To post to this group, send email to cake-php@googlegroups.com >>> To unsubscribe from this group, send email to >>> cake-php+unsubscr...@googlegroups.com For more options, visit this group >>> athttp://groups.google.com/group/cake-php?hl=en > > Check out the new CakePHP Questions site http://cakeqs.org and help others > with their CakePHP related questions. > > You received this message because you are subscribed to the Google Groups > "CakePHP" group. > To post to this group, send email to cake-php@googlegroups.com > To unsubscribe from this group, send email to > cake-php+unsubscr...@googlegroups.com For more options, visit this group at > http://groups.google.com/group/cake-php?hl=en Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
Re: Security component and the dreaded blackhole
When using the Security Component you must use the FormHelper to create your forms. The Security Component looks for certain indicators that are created and managed by the FormHelper (especially those created in create() and end()). Dynamically altering the fields that are submitted in a POST request (e.g. disabling, deleting or creating new fields via JavaScript) is likely to trigger a black-holing of the request. See the $validatePost or $disabledFields configuration parameters. http://book.cakephp.org/view/1296/Security-Component On Sep 8, 10:52 am, Jeremy Burns | Class Outfit wrote: > Yup - all the way through. No java or funny stuff either. > > Jeremy Burns > Class Outfit > > jeremybu...@classoutfit.comhttp://www.classoutfit.com > > On 8 Sep 2010, at 18:20, Miles J wrote: > > > Are you creating input fields without the form helper? > > >http://milesj.me/blog/read/43/Protecting-Your-Forms-With-The-Security... > > > On Sep 8, 8:03 am, Jeremy Burns wrote: > >> I have enabled the Security component in my app_controller and mostly > >> this works just fine. But I have one particular view that falls into > >> the blackhole when its form is posted. It works fine if I type > >> $this->Security->validatePost = false; into the beforeFilter() of the > > >> controller. > > >> I can't see anything particularly odd about the form, and without > >> posting reams of code - how does one go about debugging this? > > > Check out the new CakePHP Questions sitehttp://cakeqs.organd help others > > with their CakePHP related questions. > > > You received this message because you are subscribed to the Google Groups > > "CakePHP" group. > > To post to this group, send email to cake-php@googlegroups.com > > To unsubscribe from this group, send email to > > cake-php+unsubscr...@googlegroups.com For more options, visit this group > > athttp://groups.google.com/group/cake-php?hl=en Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
Re: Security component: Disabling a single controller action
Perfect and so simple. I should have thought of that myself. Thanks.
Jeremy Burns
Class Outfit
jeremybu...@classoutfit.com
http://www.classoutfit.com
On 17 Sep 2010, at 17:58, Miles J wrote:
> if ($this->action == 'foobar') {
> $this->Security->validatePost = false;
> }
>
> On Sep 16, 11:53 pm, Jeremy Burns wrote:
>> Is it possible to exclude a single controller action from the Security
>> component? At present I have $this->Security->validatePost = false; in
>> the controller's beforeFilter, which means that all actions are
>> insecure.
>
> Check out the new CakePHP Questions site http://cakeqs.org and help others
> with their CakePHP related questions.
>
> You received this message because you are subscribed to the Google Groups
> "CakePHP" group.
> To post to this group, send email to cake-php@googlegroups.com
> To unsubscribe from this group, send email to
> cake-php+unsubscr...@googlegroups.com For more options, visit this group at
> http://groups.google.com/group/cake-php?hl=en
Check out the new CakePHP Questions site http://cakeqs.org and help others with
their CakePHP related questions.
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
Re: Security component: Disabling a single controller action
if ($this->action == 'foobar') {
$this->Security->validatePost = false;
}
On Sep 16, 11:53 pm, Jeremy Burns wrote:
> Is it possible to exclude a single controller action from the Security
> component? At present I have $this->Security->validatePost = false; in
> the controller's beforeFilter, which means that all actions are
> insecure.
Check out the new CakePHP Questions site http://cakeqs.org and help others with
their CakePHP related questions.
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
Re: Security component and the dreaded blackhole
Yup - all the way through. No java or funny stuff either. Jeremy Burns Class Outfit jeremybu...@classoutfit.com http://www.classoutfit.com On 8 Sep 2010, at 18:20, Miles J wrote: > Are you creating input fields without the form helper? > > http://milesj.me/blog/read/43/Protecting-Your-Forms-With-The-Security-Component > > On Sep 8, 8:03 am, Jeremy Burns wrote: >> I have enabled the Security component in my app_controller and mostly >> this works just fine. But I have one particular view that falls into >> the blackhole when its form is posted. It works fine if I type >> $this->Security->validatePost = false; into the beforeFilter() of the >> >> controller. >> >> I can't see anything particularly odd about the form, and without >> posting reams of code - how does one go about debugging this? > > Check out the new CakePHP Questions site http://cakeqs.org and help others > with their CakePHP related questions. > > You received this message because you are subscribed to the Google Groups > "CakePHP" group. > To post to this group, send email to cake-php@googlegroups.com > To unsubscribe from this group, send email to > cake-php+unsubscr...@googlegroups.com For more options, visit this group at > http://groups.google.com/group/cake-php?hl=en Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
Re: Security component and the dreaded blackhole
Are you creating input fields without the form helper? http://milesj.me/blog/read/43/Protecting-Your-Forms-With-The-Security-Component On Sep 8, 8:03 am, Jeremy Burns wrote: > I have enabled the Security component in my app_controller and mostly > this works just fine. But I have one particular view that falls into > the blackhole when its form is posted. It works fine if I type > $this->Security->validatePost = false; into the beforeFilter() of the > > controller. > > I can't see anything particularly odd about the form, and without > posting reams of code - how does one go about debugging this? Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
Re: Security Component; custom form (rich editor)
Your welcome. :) On Jul 30, 5:32 pm, Tomatosoup wrote: > A bit late though, but thanks! > > On 11 jul, 03:48, nurvzy wrote: > > > > > Set the security component to not validate that field. > > >http://book.cakephp.org/view/1297/Configuration > > > Hope that helps, > > Nick > > > On Jul 10, 1:28 pm, Tomatosoup wrote: > > > > Hello, > > > > I use the Security component, but one (kind of custom) form gets > > > invalidated. > > > > Is there some way to validate an invalidated (because of the token the > > > Security component generates) form? > > > > Because I have an edit page in which I have a DIV that acts as a Rich > > > Text Editor. Whenever one clicks the submit button the HTML content of > > > the DIV is transferred into a hidden form field. > > > > Much thanks in advance for any advice. Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
Re: Security Component; custom form (rich editor)
A bit late though, but thanks! On 11 jul, 03:48, nurvzy wrote: > Set the security component to not validate that field. > > http://book.cakephp.org/view/1297/Configuration > > Hope that helps, > Nick > > On Jul 10, 1:28 pm, Tomatosoup wrote: > > > > > Hello, > > > I use the Security component, but one (kind of custom) form gets > > invalidated. > > > Is there some way to validate an invalidated (because of the token the > > Security component generates) form? > > > Because I have an edit page in which I have a DIV that acts as a Rich > > Text Editor. Whenever one clicks the submit button the HTML content of > > the DIV is transferred into a hidden form field. > > > Much thanks in advance for any advice. Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
Re: Security Component; custom form (rich editor)
Set the security component to not validate that field. http://book.cakephp.org/view/1297/Configuration Hope that helps, Nick On Jul 10, 1:28 pm, Tomatosoup wrote: > Hello, > > I use the Security component, but one (kind of custom) form gets > invalidated. > > Is there some way to validate an invalidated (because of the token the > Security component generates) form? > > Because I have an edit page in which I have a DIV that acts as a Rich > Text Editor. Whenever one clicks the submit button the HTML content of > the DIV is transferred into a hidden form field. > > Much thanks in advance for any advice. Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
Re: Security Component - requirePost() method. Change from Link to Form
I did manage to solve it and directly after I had posted this! I
retained the ...
"echo $form->create('Product', array('action'=>'edit/'.$this->data
['Product']['id']));" on "list.ctp".
I changed the link on "edit.ctp" to a verbose link without the "id"
i.e. $form->create('Product', array('action'=>'edit')). The $id was
only needed on index.ctp to identify which record "edit" needed to
"read".
I must admit to being a bit paranoid about hacking and tend to err on
safe side. I know POSTing isn't safe either but it's a step above GET.
I will always retain the Security Token.
Thanks for responding.
DaveTheRave.
On 20 Jan, 18:02, Miles J wrote:
> I may be wrong in this, but im pretty sure the requirePost() is only
> supposed to be used once. It should only be used on the initial
> request of the page, not subsequently after.
>
> Why would you have that page require a post to access? And not just
> turn it back to a link? It doesn't solve any problems, it just adds
> more complexity to it.
>
> The only time requirePost() is a great idea, is when doing a delete (/
> products/delete/1), where that page must be hit with a post. Once hit
> with a post, it does the delete logic and redirects or flashes.
>
> On Jan 20, 9:54 am, DaveTheRave wrote:
>
>
>
> > I have a test CakePHP Application that lists various products on a
> > single page called "views/products/index.ctp".
> > To start with each product had an "Edit" link that targeted action
> > "products/edit/".
>
> > This worked fine.
> > I then added "$this->Security->requirePost('edit');".
> > I replaced the link on "index.ctp" page with a form defined as
> > follows...
>
> > WAS...
> > echo $html->link(__('Edit', true), '/products/edit/'.$this->data
> > ['Product']['id']);
>
> > NOW...
> > echo $form->create('Product', array('action'=>'edit/'.$this->data
> > ['Product']['id']));
> > echo $form->submit(__('Edit', true));
> > echo $form->end();
>
> > The "Edit" page again uses the $form helper to create a form with a
> > post action for posting back the changes to "$this->data" and uses the
> > syntax shown below.
> > echo $form->create('Product', array('action'=>'edit/'.$this->data
> > ['Product']['id']));
> > echo $form->input('title');
> > .
> > echo $form->end(__('Submit', true));
>
> > When I click the "Edit" button it does take me to the "Edit" page.
> > The URL now shows the action path .../products/edit/.
> > After making changes I press the Submit button on the "Edit" page, but
> > I get sent to the blackHoleCallback.
>
> > When "requirePost" is removed, everything works fine!
>
> > I should point out that a Token is being created by the
> > "SecurityComponent" and is held in "$this->data".
> > As a result I have had to change the checks within the "Edit" action
> > in the controller so that they check for "$this->data['Product']"
> > being empty rather than just "$this->data".
>
> > Can anyone tell me how I should have done this?
>
> > Thanks,
> > DaveTheRave- Hide quoted text -
>
> - Show quoted text -
Check out the new CakePHP Questions site http://cakeqs.org and help others with
their CakePHP related questions.
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
Re: Security Component - requirePost() method. Change from Link to Form
I may be wrong in this, but im pretty sure the requirePost() is only
supposed to be used once. It should only be used on the initial
request of the page, not subsequently after.
Why would you have that page require a post to access? And not just
turn it back to a link? It doesn't solve any problems, it just adds
more complexity to it.
The only time requirePost() is a great idea, is when doing a delete (/
products/delete/1), where that page must be hit with a post. Once hit
with a post, it does the delete logic and redirects or flashes.
On Jan 20, 9:54 am, DaveTheRave wrote:
> I have a test CakePHP Application that lists various products on a
> single page called "views/products/index.ctp".
> To start with each product had an "Edit" link that targeted action
> "products/edit/".
>
> This worked fine.
> I then added "$this->Security->requirePost('edit');".
> I replaced the link on "index.ctp" page with a form defined as
> follows...
>
> WAS...
> echo $html->link(__('Edit', true), '/products/edit/'.$this->data
> ['Product']['id']);
>
> NOW...
> echo $form->create('Product', array('action'=>'edit/'.$this->data
> ['Product']['id']));
> echo $form->submit(__('Edit', true));
> echo $form->end();
>
> The "Edit" page again uses the $form helper to create a form with a
> post action for posting back the changes to "$this->data" and uses the
> syntax shown below.
> echo $form->create('Product', array('action'=>'edit/'.$this->data
> ['Product']['id']));
> echo $form->input('title');
> .
> echo $form->end(__('Submit', true));
>
> When I click the "Edit" button it does take me to the "Edit" page.
> The URL now shows the action path .../products/edit/.
> After making changes I press the Submit button on the "Edit" page, but
> I get sent to the blackHoleCallback.
>
> When "requirePost" is removed, everything works fine!
>
> I should point out that a Token is being created by the
> "SecurityComponent" and is held in "$this->data".
> As a result I have had to change the checks within the "Edit" action
> in the controller so that they check for "$this->data['Product']"
> being empty rather than just "$this->data".
>
> Can anyone tell me how I should have done this?
>
> Thanks,
> DaveTheRave
Check out the new CakePHP Questions site http://cakeqs.org and help others with
their CakePHP related questions.
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
Re: Security component and session timeout
Yes the security component adds a hidden token/timer within the forms. Their is a time limit that black holes if you sit on the page too long. Not sure if you can configure it. Try doing a search within the Security component. On Jan 18, 8:43 pm, Stinkbug wrote: > Just checking to see if anyone has any recommendations on this before > I start implementing something myself. > > On Dec 16 2009, 10:49 pm, Stinkbug wrote: > > > I've been using the security component for quite some time, but there > > is one issue that I've never been able to figure out with it. > > > When I have a form and the user takes a while to fill it out, it will > > get blackholed. I'm guesing the security component is using a session > > some how on the form. It makes the form only good for so many minutes > > (I'm not totally sure how long). However, adjusting session setting > > in the core doesn't seem to change this. > > > Can someone explain what's going on and if there is a way to change > > this so that a form can sit there a little longer without getting > > blackholed? Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
Re: Security component and session timeout
Just checking to see if anyone has any recommendations on this before I start implementing something myself. On Dec 16 2009, 10:49 pm, Stinkbug wrote: > I've been using the security component for quite some time, but there > is one issue that I've never been able to figure out with it. > > When I have a form and the user takes a while to fill it out, it will > get blackholed. I'm guesing the security component is using a session > some how on the form. It makes the form only good for so many minutes > (I'm not totally sure how long). However, adjusting session setting > in the core doesn't seem to change this. > > Can someone explain what's going on and if there is a way to change > this so that a form can sit there a little longer without getting > blackholed? Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
Re: Security component woes
Dump our beforeFilter (AppController and UsersController) On Dec 1, 6:20 pm, "designv...@gmail.com" wrote: > Hi all, > > I have the Security component enabled in my users controller and its > adding the tokens into my register form and I am viewing it via HTTPS, > however the form never submits, it just reloads the page, no save or > no validation errors... > > I am sure I am missing something. > > I'm using Auth also and my login functions are fine via SSL... > > Any ideas? > > d. Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
Re: Security component related question
I looked at this
http://www.milesj.me/blog/read/43/Protecting-Your-Forms-With-The-Security-Component
and I added $this->Security->validatePost = false; to the
beforefilter action of each controller and everything seems to work
fine. I still get https enforced which is good through requireSecure
method. Obviously this isn't the ideal solution. If anyone has
encountered these issues ping me
thanks!
saliem
On Dec 1, 7:53 pm, Saliem wrote:
> Hi Everyone,
>
> I'm having some trouble using using the security component. No data is
> getting through to where I want it and I keep getting blackholed. If I
> take out the security component everything works fine and the data
> goes through. I've already constructed every element of my forms
> using the form helper so I'm not sure what else needs to be done. Is
> there anywhere else I can go to for information about this?
>
> Thanks,
>
> ## a_controller.php ##
>
> class AController extends AppController {
>
> var $name = 'A';
>
> var $helpers = array('Ajax','Html','Form','Paginator',
> 'Fieldformatting');
>
> var $components = array('Security', 'Session', 'Email',
> 'Crypter',
> 'RequestHandler');
>
> function beforeFilter() {
>
> parent::beforeFilter();
>
> $this->Security->allowedControllers = array('B');
> $this->Security->blackHoleCallback = 'forceSSL';
> $this->Security->requireSecure();
>
> }
>
> function forceSSL() {
> $this->redirect('https://' . env('SERVER_NAME') .
> $this->here);
> }
>
> function action_a() {
> if ($this->data) {
> // do something with this data and set some session
> variables, then redirect to action_b to displays this data
>
> }
>
> function action_b() {
> // read session variables and set some variables
> using data from action_a for the corresponding view
>
> }
>
> }
>
> ## end of a_controller.php###
>
> ## b_controller.php ###
>
> class BController extends AppController {
>
> var $name = 'B';
>
> var $helpers = array('Form', 'Ajax', 'Html', 'Cropimage',
> 'Paginator', 'Fieldformatting', 'Resizeimage');
> var $components = array('Session', 'Email', 'JqImgcrop',
> 'RequestHandler', 'Navigation', 'Security');
>
> function action_b() {
> // set some data to some variables so that data
> can be used to construct form elements in the corresponding view
>
> }}
>
> ### end of b_controller.php
> #
>
> # b/action_b.ctp ###
>
> form helper used to construct a form that consists of hidden elements
> and select menus to send data to a/action_a/
>
> ### end of b/action_b.ctp #
Check out the new CakePHP Questions site http://cakeqs.org and help others with
their CakePHP related questions.
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
Re: Security Component & $form->file()
Do not use $form->file(), thats your problem. Also do not ever use
select(), radio(), checkbox(), etc, you must use input().
$form->input('file', array('type' => 'file'));
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
-~--~~~~--~~--~--~---
Re: Security Component & $form->file()
Hi, did you ever solved this issue or got any response? I seems I have the same problem.. Greets, mark VoiDeT wrote: > > > Hey Everyone! > > I am struggling to write a file upload here. I have the security > component enabled in my app_controller and as soon as i place a $form- >>file() in the form and submit it, i get taken to a white page, no > errors, and only a list of queries if i have them enabled. > > It is much like: > https://trac.cakephp.org/ticket/5489 > > However the bug status is set to "fixed" so i am wondering if maybe > someone else can reproduce the same error? Before i bother with > opening a ticket. > > Thank you! > VoiDeT > > > > > -- View this message in context: http://n2.nabble.com/Security-Component-form-file-tp2433784p3542256.html Sent from the CakePHP mailing list archive at Nabble.com. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: Security component in older CakePHP version
Hi, majna wrote: > https://svn.cakephp.org/repo/trunk/cake/1.1.x.x/ > if you need "zip" version, email me. > > On Aug 19, 4:26 pm, andphe wrote: > > I would like to try the latest 1.1 release of cakePHP but it seems > > that is not possible to download it from the cake forge, is there any > > alternative place for old downloads ? !Ouch!, of course, sorry waste your time. thanks a lot, Andres --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: Security component in older CakePHP version
https://svn.cakephp.org/repo/trunk/cake/1.1.x.x/ if you need "zip" version, email me. On Aug 19, 4:26 pm, andphe wrote: > Hi there, > > I have a website running a old version of cakePHP (1.1.19.6305), the > fact is that the security component blackhole some legitimate > requests, I traced the issue where it compares the age of the _token > session variable with the current time, anyways... > > I would like to try the latest 1.1 release of cakePHP but it seems > that is not possible to download it from the cake forge, is there any > alternative place for old downloads ? > > Thank, > > Andrés --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: Security Component and AJAX
Each time you make an ajax request you invalidate the existing security token. To use SecurityComponent and Ajax you would have to send the latest token with each form (and make sure you get a new one back from the server on each ajax request). And that is what in part amounts to SecurityComponent and Ajax being incompatible. It is just too much javascript-tangle. On Jun 3, 5:34 pm, "Dave Maharaj :: WidePixels.com" wrote: > You might be onto something there. > > Initial profile page loads with a "edit" button by the users profile section > to update part of the profileclick edit loads the form into a > div"submit" saves the form via a second Ajax request...success: jQuery > effects form fades out...updated selections fade in the users profile. > > Dave > > -Original Message- > From: Martin Westin [mailto:martin.westin...@gmail.com] > Sent: June-03-09 9:09 AM > To: CakePHP > Subject: Re: Security Component and AJAX > > Hi, I'm just buttin in with a quick question. Something for you to check. > > There is no other ajax request after the page loads and before the form is > posted? If so then this will also cause problems for SecurityComponent since > the token will be old. > > /Martin > > On Jun 3, 7:20 am, Miles J wrote: > > At /joesmith/update/systems/, if you can debug the data you should be > > able to save it. What exactly happens, a white page? --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
RE: Security Component and AJAX
You might be onto something there. Initial profile page loads with a "edit" button by the users profile section to update part of the profileclick edit loads the form into a div"submit" saves the form via a second Ajax request...success: jQuery effects form fades out...updated selections fade in the users profile. Dave -Original Message- From: Martin Westin [mailto:martin.westin...@gmail.com] Sent: June-03-09 9:09 AM To: CakePHP Subject: Re: Security Component and AJAX Hi, I'm just buttin in with a quick question. Something for you to check. There is no other ajax request after the page loads and before the form is posted? If so then this will also cause problems for SecurityComponent since the token will be old. /Martin On Jun 3, 7:20 am, Miles J wrote: > At /joesmith/update/systems/, if you can debug the data you should be > able to save it. What exactly happens, a white page? --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
RE: Security Component and AJAX
Two different sets of data.. First is with Security component added in app_controller When I debug debug($this->data); right before the save $this->User->save($this->data, true, array_keys($this->User->$join_table->schema())) Array ( [_Token] => Array ( [key] => f653941fc718b276cf8f28b41f5bb1b3a812047c [fields] => 6c5072f719544a7d300fe09d7030e1da27e2652b%3An%3A0%3A%7B%7D ) [System] => Array ( [System] => Array ( [0] => 13 [1] => 1 [2] => 9 [3] => 8 [4] => 7 [5] => 6 [6] => 11 [7] => 5 [8] => 4 [9] => 12 [10] => 2 [11] => 14 ) ) ) Debug the save its self and I get 1 Just the number 1and nothing saves Remove security component and debug the same save and I get Array ( [System] => Array ( [System] => Array ( [0] => 13 [1] => 7 [2] => 6 [3] => 11 [4] => 5 [5] => 4 [6] => 12 [7] => 2 [8] => 14 ) ) ) And the save returns number 1 app/controllers/users_controller.php (line 236) 1 Which is debug($this->User->save($this->data, true, array_keys($this->User->$join_table->schema(; -----Original Message- From: Miles J [mailto:mileswjohn...@gmail.com] Sent: June-03-09 2:50 AM To: CakePHP Subject: Re: Security Component and AJAX At /joesmith/update/systems/, if you can debug the data you should be able to save it. What exactly happens, a white page? --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: Security Component and AJAX
Hi, I'm just buttin in with a quick question. Something for you to check. There is no other ajax request after the page loads and before the form is posted? If so then this will also cause problems for SecurityComponent since the token will be old. /Martin On Jun 3, 7:20 am, Miles J wrote: > At /joesmith/update/systems/, if you can debug the data you should be > able to save it. What exactly happens, a white page? --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: Security Component and AJAX
At /joesmith/update/systems/, if you can debug the data you should be able to save it. What exactly happens, a white page? --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
RE: Security Component and AJAX
This is what gets passed in the save data[System][System] data[System][System][] 13 data[System][System][] 11 data[System][System][] 3 data[System][System][] 4 data[System][System][] 2 data[System][System][] 14 -Original Message- From: Miles J [mailto:mileswjohn...@gmail.com] Sent: June-03-09 1:37 AM To: CakePHP Subject: Re: Security Component and AJAX Actually nvm I think I read it wrong. Whats the content passed during the ajax request (find it with Firebug). --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: Security Component and AJAX
Actually nvm I think I read it wrong. Whats the content passed during the ajax request (find it with Firebug). --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
RE: Security Component and AJAX
Not sure I fully understand "Your Ajax fields need to be wrapped in data[]"
The form looks like this:
create(array('type' => 'post','action' => 'update')); ?>
Select from the options below
input($model_table,
array('multiple'=>'checkbox',
'label'=>false));
?>
end('Submit');?>
Just a bunch of check boxes.
Dave
-Original Message-----
From: Miles J [mailto:mileswjohn...@gmail.com]
Sent: June-03-09 1:19 AM
To: CakePHP
Subject: Re: Security Component and AJAX
If you are doing it that way, theres no possible way for your data to show
up in $this->data. Your ajax fields need to be wrapped in data[], else it
should show up in $this->params['form'].
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
-~--~~~~--~~--~--~---
Re: Security Component and AJAX
If you are doing it that way, theres no possible way for your data to show up in $this->data. Your ajax fields need to be wrapped in data[], else it should show up in $this->params['form']. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
RE: Security Component and AJAX
$(document).ready(function() {
$('#UserUpdateForm').bind('submit', function() {
var numRand = Math.floor(Math.random()*10);
var queryString =
$('#UserUpdateForm').formSerialize();
$(this).ajaxSubmit({
type: 'post',
url:
'/joesmith/update/systems/' + numRand ,
data: queryString,
target: '#systems',
//success: function()
{$(this).fadeOut("slow")}
});
return false; // <-- important!
});
});
-Original Message-
From: Miles J [mailto:mileswjohn...@gmail.com]
Sent: June-03-09 12:53 AM
To: CakePHP
Subject: Re: Security Component and AJAX
Can I see your js ajax code.
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
-~--~~~~--~~--~--~---
Re: Security Component and AJAX
Can I see your js ajax code. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
RE: Security Component and AJAX
Nope...still same thing. I will just secure the form myself and add security
to the controllers that need them individually for now.
Thanks again for your insight and fast response.
Dave
-Original Message-
From: brian [mailto:bally.z...@gmail.com]
Sent: June-02-09 11:28 PM
To: cake-php@googlegroups.com
Subject: Re: Security Component and AJAX
On Tue, Jun 2, 2009 at 9:37 PM, Dave Maharaj :: WidePixels.com
wrote:
>
> My Ajax functions are in different controllers but I added
>
> function beforeFilter()
> {
> parent::beforeFilter();
> if ($this->params['action'] == 'update_systems')
> {
> $this->Security->validatePost = false;
> }
> }
As it's AJAX requests that are the problem, I'd do this instead:
function beforeFilter()
{
parent::beforeFilter();
if ($this->RequestHandler->isAjax())
{
$this->Security->validatePost = false;
}
}
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
-~--~~~~--~~--~--~---
Re: Security Component and AJAX
On Tue, Jun 2, 2009 at 9:37 PM, Dave Maharaj :: WidePixels.com
wrote:
>
> My Ajax functions are in different controllers but I added
>
> function beforeFilter()
> {
> parent::beforeFilter();
> if ($this->params['action'] == 'update_systems')
> {
> $this->Security->validatePost = false;
> }
> }
As it's AJAX requests that are the problem, I'd do this instead:
function beforeFilter()
{
parent::beforeFilter();
if ($this->RequestHandler->isAjax())
{
$this->Security->validatePost = false;
}
}
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
-~--~~~~--~~--~--~---
RE: Security Component and AJAX
My Ajax functions are in different controllers but I added
function beforeFilter()
{
parent::beforeFilter();
if ($this->params['action'] == 'update_systems')
{
$this->Security->validatePost = false;
}
}
but when I submit the form I debug this->data and still see
Array
(
[_Token] => Array
(
[key] => 405c4e360e9cc6f6df4f3c112c03c7a16b104ddf
[fields] =>
6c5072f719544a7d300fe09d7030e1da27e2652b%3An%3A0%3A%7B%7D
)
And the updated data is not saved
Ideas?
Thanks,
Dave
-Original Message-
From: Miles J [mailto:mileswjohn...@gmail.com]
Sent: June-02-09 10:51 PM
To: CakePHP
Subject: Re: Security Component and AJAX
Security component does not work in conjunction with Ajax.
If all your ajax requests are in a controller called Ajax, simply place this
in the beforeFilter().
/**
* Executed before each action
*/
function beforeFilter() {
parent::beforeFilter();
// Turn debug off for ajax calls
Configure::write('debug', 0);
// Security
$this->Security->validatePost = false;
// Not ajax
if (!$this->RequestHandler->isAjax()) {
$this->Security->blackHole($this, 'You are not authorized to process
this request!');
}
}
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
-~--~~~~--~~--~--~---
Re: Security Component and AJAX
Security component does not work in conjunction with Ajax.
If all your ajax requests are in a controller called Ajax, simply
place this in the beforeFilter().
/**
* Executed before each action
*/
function beforeFilter() {
parent::beforeFilter();
// Turn debug off for ajax calls
Configure::write('debug', 0);
// Security
$this->Security->validatePost = false;
// Not ajax
if (!$this->RequestHandler->isAjax()) {
$this->Security->blackHole($this, 'You are not authorized to
process this request!');
}
}
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
-~--~~~~--~~--~--~---
Re: Security component and AJAX
That's a handy solution, thanks for sharing, Martin.
On Apr 21, 7:27 am, Martin Westin wrote:
> SecurityComponent does not do much for Ajax requests. At least not in
> that way.
>
> I use $this->Post-del($id) less and less. Instead I use deleteAll() in
> this way:
> $this->Post->deleteAll(array(
> 'Post.id' => $id,
> 'Post.author_id'=>$auth_user_id
> ),true,true);
>
> This will ensure that a user can only delete their own posts... ajax
> or plain request does not matter. SecurityComponent can not take care
> of all your security even without ajax and deleting with conditions is
> a good way to limit the possible damage.
>
> On Apr 21, 6:04 am, "Dave Maharaj :: WidePixels.com"
>
>
>
> wrote:
> > I have just been messing around with my app and changing values in Ajax
> > links with Firebug to see what happens...sure enough I can be logged in as
> > user 1 and thru an Ajax form delete a post by User 2. Been reading about the
> > Security Component but seems from what I have found is that it does not work
> > with AJAX requests. Is this true? What is the best way to secure an app by
> > preventing people from using Firebug to edit the code and submit/edit/delete
> > info?
>
> > I have general if this Auth User('id') = $this type setup for users/owners
> > and so on but how can you prevent the data in forms from being manipulated?
>
> > Thanks,
>
> > Dave- Hide quoted text -
>
> - Show quoted text -
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
-~--~~~~--~~--~--~---
Re: Security component and AJAX
SecurityComponent does not do much for Ajax requests. At least not in
that way.
I use $this->Post-del($id) less and less. Instead I use deleteAll() in
this way:
$this->Post->deleteAll(array(
'Post.id' => $id,
'Post.author_id'=>$auth_user_id
),true,true);
This will ensure that a user can only delete their own posts... ajax
or plain request does not matter. SecurityComponent can not take care
of all your security even without ajax and deleting with conditions is
a good way to limit the possible damage.
On Apr 21, 6:04 am, "Dave Maharaj :: WidePixels.com"
wrote:
> I have just been messing around with my app and changing values in Ajax
> links with Firebug to see what happens...sure enough I can be logged in as
> user 1 and thru an Ajax form delete a post by User 2. Been reading about the
> Security Component but seems from what I have found is that it does not work
> with AJAX requests. Is this true? What is the best way to secure an app by
> preventing people from using Firebug to edit the code and submit/edit/delete
> info?
>
> I have general if this Auth User('id') = $this type setup for users/owners
> and so on but how can you prevent the data in forms from being manipulated?
>
> Thanks,
>
> Dave
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
-~--~~~~--~~--~--~---
Re: Security component breaks my ajax requests
It also seems any post I make normally just goes to a white page. This security component is quite confusing. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: Security component breaks my ajax requests
Thanks that worked. But now im trying to blackhole a non ajax request,
and this doesnt seem to work either.
if (!$this->RequestHandler->isAjax()) {
$this->Security->blackHole($this, 'You are not authorized to process
this request!');
}
How exactly can I tell if the blackhole works, if I just get a white
page?
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
-~--~~~~--~~--~--~---
Re: Security component breaks my ajax requests
Looking at the Security component source, you need to override the
validatePost value in SecurityComponent. The following is untested code,
but I think it should work.
function beforeFilter() {
if ($this->action == 'your_action') {
$this->Security->validatePost = false;
}
parent::beforeFilter();
}
Miles J wrote:
> When I add the Security component, all my ajax requests fail. They
> never finish or return data. I am using jQuery and not the built in
> ajax.
>
> What do I have to do to allow this to work? The manual for Security is
> a bit vague.
> >
>
>
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
-~--~~~~--~~--~--~---
Re: Security-Component-form-checks?
As far as I know the SecurityComponent checks for hidden fields. But you could try it out using Firebug. ;-) --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: Security-Component-form-checks?
anyone? On 31 Jan., 11:52, Aurelius wrote: > When I use the form-Helper and the security-component, do I have to > check if the user changes the value of hidden fields (like id, and > foreign keys like author_id) or do the security-component auto-check > that through the data[_Token][key]? > > thx > Aurelius --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: Security Component
Problem solved, server config issue.
Now for the real question!! Is what I've done the best practice???
Thanks!!
On Nov 7, 1:02 pm, rgreenphotodesign <[EMAIL PROTECTED]>
wrote:
> If it helps, I'm running a Linux server with Ubuntu. Apache set up as
> virtual hosts. So it may be a config issues there, but my doc root is
> set correct on my 443 VH.
>
> On Nov 7, 12:43 pm, rgreenphotodesign <[EMAIL PROTECTED]>
> wrote:
>
> > Hi All,
>
> > I'm working on implementing the security component for the follow
> > functionality:
>
> > My site will have a "donate" page that will accept CC's and such so
> > need to be https://.
>
> > In my controller I'm using the beforeFilter with requireSecure and the
> > action I'm securing. My blackHoleCallback function is as follows:
>
> > function secureAction($param)
> > {
> > if (!env("HTTPS")) {
> > $this->redirect("https://".env('HTTP_HOST')."/".
> > $_GET['url']);
> > }
>
> > }
>
> > The redirected URL looks good except I get Not Found errors. All links
> > after I've switched to https get the same error. I've got to be
> > missing something that is like stupid simple, but obviously I'm
> > missing it. Is this a code problem(me not using cake correct, not an
> > internal cake code problem!!) or a server configuration issue?
> > Any hints or help would be wonderful!
>
> > Thanks, Russ
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
-~--~~~~--~~--~--~---
Re: Security Component
If it helps, I'm running a Linux server with Ubuntu. Apache set up as
virtual hosts. So it may be a config issues there, but my doc root is
set correct on my 443 VH.
On Nov 7, 12:43 pm, rgreenphotodesign <[EMAIL PROTECTED]>
wrote:
> Hi All,
>
> I'm working on implementing the security component for the follow
> functionality:
>
> My site will have a "donate" page that will accept CC's and such so
> need to be https://.
>
> In my controller I'm using the beforeFilter with requireSecure and the
> action I'm securing. My blackHoleCallback function is as follows:
>
> function secureAction($param)
> {
> if (!env("HTTPS")) {
> $this->redirect("https://".env('HTTP_HOST')."/".
> $_GET['url']);
> }
>
> }
>
> The redirected URL looks good except I get Not Found errors. All links
> after I've switched to https get the same error. I've got to be
> missing something that is like stupid simple, but obviously I'm
> missing it. Is this a code problem(me not using cake correct, not an
> internal cake code problem!!) or a server configuration issue?
> Any hints or help would be wonderful!
>
> Thanks, Russ
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
-~--~~~~--~~--~--~---
Re: Security Component HTTP digest authentication
Ok thanks! I thought I could use it so I don't have the password
stored in plain text. I guess it just protects the password in
transit.
On a shared host I don't like to store the passwords in plain text.
I'll just switch to auth or so...
:jc
On Oct 23, 3:00 pm, nate <[EMAIL PROTECTED]> wrote:
> You actually have to give it the password in plaintext as well in
> order for it to generate the necessary hash data.
>
> On Oct 23, 1:57 am, jcsiegrist <[EMAIL PROTECTED]> wrote:
>
> > Hi everyone,
>
> > I'm trying to use the Security HTTP authentication features. While I
> > can get basic authentication to work, I just can't get digest to work.
> > I'm using 1.2r5879.
>
> > I use this call to the Security component in the beforeFilter of my
> > AppController
>
> > $this->Security->requireLogin('*', array('users' => array('admin' =>
> > 'bb5fd3344ae62a91d6aee3947fca'), 'type'=>'digest',
> > 'realm'=>'admin'));
>
> > I've tried also md5 hashing the username, but that didn't make any
> > difference. I'm guessing that I need to be doing something different
> > to my stored hash of the password and/or username. Can someone point
> > me in the right direction? Thank You.
>
> > :jc
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups "Cake
PHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
-~--~~~~--~~--~--~---
Re: Security Component HTTP digest authentication
You actually have to give it the password in plaintext as well in
order for it to generate the necessary hash data.
On Oct 23, 1:57 am, jcsiegrist <[EMAIL PROTECTED]> wrote:
> Hi everyone,
>
> I'm trying to use the Security HTTP authentication features. While I
> can get basic authentication to work, I just can't get digest to work.
> I'm using 1.2r5879.
>
> I use this call to the Security component in the beforeFilter of my
> AppController
>
> $this->Security->requireLogin('*', array('users' => array('admin' =>
> 'bb5fd3344ae62a91d6aee3947fca'), 'type'=>'digest',
> 'realm'=>'admin'));
>
> I've tried also md5 hashing the username, but that didn't make any
> difference. I'm guessing that I need to be doing something different
> to my stored hash of the password and/or username. Can someone point
> me in the right direction? Thank You.
>
> :jc
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups "Cake
PHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
-~--~~~~--~~--~--~---
Re: Security component and forms
probably to make searches linkable. On 8/14/07, Chris Hartjes <[EMAIL PROTECTED]> wrote: > > On 8/14/07, Timo Derstappen <[EMAIL PROTECTED]> wrote: > > > > I admit that there are very few use cases, but there is one already > > mentioned by sergerod: searches. Have a look at google's search box. > > So because Google uses a GET form for doing searches, that is somehow > the accepted way to do it? The *real* question is *why* Google chose > to do it as a GET request as opposed to a POST request. Perhaps > something to do with the amount of data submitted as part of a POST? > > I have no idea, but it's an interesting (and totally offtopic) thought. > > > -- > Chris Hartjes > Senior Developer > Cake Development Corporation > > My motto for 2007: "Just build it, damnit!" > > @TheBallpark - http://www.littlehart.net/attheballpark > @TheKeyboard - http://www.littlehart.net/atthekeyboard > > > > -- Timo Derstappen http://teemow.com mailto:[EMAIL PROTECTED] --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Cake PHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: Security component and forms
On 8/14/07, Timo Derstappen <[EMAIL PROTECTED]> wrote: > > I admit that there are very few use cases, but there is one already > mentioned by sergerod: searches. Have a look at google's search box. So because Google uses a GET form for doing searches, that is somehow the accepted way to do it? The *real* question is *why* Google chose to do it as a GET request as opposed to a POST request. Perhaps something to do with the amount of data submitted as part of a POST? I have no idea, but it's an interesting (and totally offtopic) thought. -- Chris Hartjes Senior Developer Cake Development Corporation My motto for 2007: "Just build it, damnit!" @TheBallpark - http://www.littlehart.net/attheballpark @TheKeyboard - http://www.littlehart.net/atthekeyboard --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Cake PHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: Security component and forms
I admit that there are very few use cases, but there is one already mentioned by sergerod: searches. Have a look at google's search box. On 8/14/07, Chris Hartjes <[EMAIL PROTECTED]> wrote: > > On 8/14/07, teemow <[EMAIL PROTECTED]> wrote: > > > > What's the security difference between GET and POST. This has nothing > > to do with security. > > My fault for not fully explaining myself. You are correct that GET > and POST have nothing to do with security. > > > Semantically and for the sake of REST: If you use a form to retrieve > > something from your application, it may even more make sense to use a > > GET. On the other hand if you change something (add/update) with your > > form you should definitely use a POST. > > Interesting advice, but I've made it a personal practice to never > create a form that uses GET. I'd love to hear a good, constructive > reason for when a GET is preferred to a POST when creating a form that > submits information somewhere. I don't see any reason to use GET for > a form. > > -- > Chris Hartjes > Senior Developer > Cake Development Corporation > > My motto for 2007: "Just build it, damnit!" > > @TheBallpark - http://www.littlehart.net/attheballpark > @TheKeyboard - http://www.littlehart.net/atthekeyboard > > > > -- Timo Derstappen http://teemow.com mailto:[EMAIL PROTECTED] --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Cake PHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: Security component and forms
On 8/14/07, teemow <[EMAIL PROTECTED]> wrote: > > What's the security difference between GET and POST. This has nothing > to do with security. My fault for not fully explaining myself. You are correct that GET and POST have nothing to do with security. > Semantically and for the sake of REST: If you use a form to retrieve > something from your application, it may even more make sense to use a > GET. On the other hand if you change something (add/update) with your > form you should definitely use a POST. Interesting advice, but I've made it a personal practice to never create a form that uses GET. I'd love to hear a good, constructive reason for when a GET is preferred to a POST when creating a form that submits information somewhere. I don't see any reason to use GET for a form. -- Chris Hartjes Senior Developer Cake Development Corporation My motto for 2007: "Just build it, damnit!" @TheBallpark - http://www.littlehart.net/attheballpark @TheKeyboard - http://www.littlehart.net/atthekeyboard --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Cake PHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: Security component and forms
What's the security difference between GET and POST. This has nothing to do with security. Semantically and for the sake of REST: If you use a form to retrieve something from your application, it may even more make sense to use a GET. On the other hand if you change something (add/update) with your form you should definitely use a POST. Cheers, Timo On Aug 13, 2:09 pm, "Chris Hartjes" <[EMAIL PROTECTED]> wrote: > On 8/13/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > > > > > A small request for developers of Security component. :-) Please make > > an ability to switch off form data validation and autocreation of > > hidden '__Token' fields when using Security and form/ajax helper in > > Cake 1.2. > > > I know about Controller->disableFields. But automatically generated > > __Tokens are inserted into the form anyway. This is not good for forms > > with GET method. > > Why would you EVER use a form that uses the GET method. That's like > PHP security 101. > > -- > Chris Hartjes > Senior Developer > Cake Development Corporation > > My motto for 2007: "Just build it, damnit!" > > @TheBallpark -http://www.littlehart.net/attheballpark > @TheKeyboard -http://www.littlehart.net/atthekeyboard --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Cake PHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: Security component and forms
I use these forms to make a custom filters or searches. On Aug 13, 4:09 pm, "Chris Hartjes" <[EMAIL PROTECTED]> wrote: > On 8/13/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > > > > > A small request for developers of Security component. :-) Please make > > an ability to switch off form data validation and autocreation of > > hidden '__Token' fields when using Security and form/ajax helper in > > Cake 1.2. > > > I know about Controller->disableFields. But automatically generated > > __Tokens are inserted into the form anyway. This is not good for forms > > with GET method. > > Why would you EVER use a form that uses the GET method. That's like > PHP security 101. > > -- > Chris Hartjes > Senior Developer > Cake Development Corporation > > My motto for 2007: "Just build it, damnit!" > > @TheBallpark -http://www.littlehart.net/attheballpark > @TheKeyboard -http://www.littlehart.net/atthekeyboard --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Cake PHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: Security component and forms
On 8/13/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > > A small request for developers of Security component. :-) Please make > an ability to switch off form data validation and autocreation of > hidden '__Token' fields when using Security and form/ajax helper in > Cake 1.2. > > I know about Controller->disableFields. But automatically generated > __Tokens are inserted into the form anyway. This is not good for forms > with GET method. > Why would you EVER use a form that uses the GET method. That's like PHP security 101. -- Chris Hartjes Senior Developer Cake Development Corporation My motto for 2007: "Just build it, damnit!" @TheBallpark - http://www.littlehart.net/attheballpark @TheKeyboard - http://www.littlehart.net/atthekeyboard --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Cake PHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: Security Component in 1.2
On Jun 18, 12:19 pm, Ketan Patel <[EMAIL PROTECTED]> wrote: > I perfectly agree that the Security Component is doing its job and I > do understand what requirePost and requireAuth purpose is for. Again, I really don't think you do. : / > However, in case like users registration page, you would want to have > requireAuth and requirePost only after the form is submitted not prior > to form submission. My request for enhancement was from this > perspective. Exactly. In this case you'd only use requireAuth, since the requireAuth check only happens on POST requests. Also, in your case, requirePost is by definition irrelevant, since you allow both GET and POST requests to the same action. > On Jun 18, 12:09 am, nate <[EMAIL PROTECTED]> wrote: > > > I responded to your ticket:https://trac.cakephp.org/ticket/2783 > > > On Jun 17, 10:15 pm, Ketan Patel <[EMAIL PROTECTED]> wrote: > > > > I have made a request for enhancements to Security Component > > > athttps://trac.cakephp.org/ticket/2783... The details are below and I > > > would like some open discussion on this enhancements from bakers. > > > > Ticket Details: > > > > With security component, if one ever wants to use requirePost and > > > requireAuth, then its implementation is not quite straight forward and > > > requires bit of code change to make it work. > > > > Say for an action 'register' in controller 'Users', I want to use > > > requireAuth and requirePost. Based on current implementation, I have > > > to make a post request to the 'register' action for a user to view > > > that page. This involves change and is a bit painful to implement. In > > > reality, one would never want to check whether the request is Post or > > > Get for initial view. It is only important when the form is submitted > > > to that action. Same goes with requireAuth. > > > > What I would really like to see is that, the initial visit to the > > > 'register' action should not check for the requirePost or requireAuth > > > but only check when the form is submitted. > > > > I have modified the code so that it checks if there is any > > > '$controller->data' then the requirePost and requireAuth is checked, > > > otherwise it is by-passed. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Cake PHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: Security Component in 1.2
I perfectly agree that the Security Component is doing its job and I do understand what requirePost and requireAuth purpose is for. However, in case like users registration page, you would want to have requireAuth and requirePost only after the form is submitted not prior to form submission. My request for enhancement was from this perspective. On Jun 18, 12:09 am, nate <[EMAIL PROTECTED]> wrote: > I responded to your ticket:https://trac.cakephp.org/ticket/2783 > > On Jun 17, 10:15 pm, Ketan Patel <[EMAIL PROTECTED]> wrote: > > > I have made a request for enhancements to Security Component > > athttps://trac.cakephp.org/ticket/2783... The details are below and I > > would like some open discussion on this enhancements from bakers. > > > Ticket Details: > > > With security component, if one ever wants to use requirePost and > > requireAuth, then its implementation is not quite straight forward and > > requires bit of code change to make it work. > > > Say for an action 'register' in controller 'Users', I want to use > > requireAuth and requirePost. Based on current implementation, I have > > to make a post request to the 'register' action for a user to view > > that page. This involves change and is a bit painful to implement. In > > reality, one would never want to check whether the request is Post or > > Get for initial view. It is only important when the form is submitted > > to that action. Same goes with requireAuth. > > > What I would really like to see is that, the initial visit to the > > 'register' action should not check for the requirePost or requireAuth > > but only check when the form is submitted. > > > I have modified the code so that it checks if there is any > > '$controller->data' then the requirePost and requireAuth is checked, > > otherwise it is by-passed. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Cake PHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: Security Component in 1.2
I responded to your ticket: https://trac.cakephp.org/ticket/2783 On Jun 17, 10:15 pm, Ketan Patel <[EMAIL PROTECTED]> wrote: > I have made a request for enhancements to Security Component > athttps://trac.cakephp.org/ticket/2783... The details are below and I > would like some open discussion on this enhancements from bakers. > > Ticket Details: > > With security component, if one ever wants to use requirePost and > requireAuth, then its implementation is not quite straight forward and > requires bit of code change to make it work. > > Say for an action 'register' in controller 'Users', I want to use > requireAuth and requirePost. Based on current implementation, I have > to make a post request to the 'register' action for a user to view > that page. This involves change and is a bit painful to implement. In > reality, one would never want to check whether the request is Post or > Get for initial view. It is only important when the form is submitted > to that action. Same goes with requireAuth. > > What I would really like to see is that, the initial visit to the > 'register' action should not check for the requirePost or requireAuth > but only check when the form is submitted. > > I have modified the code so that it checks if there is any > '$controller->data' then the requirePost and requireAuth is checked, > otherwise it is by-passed. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Cake PHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: Security component - multiple tabs and AJAX problem
Sounds like a possible solution. Open an Enhancement ticket at https://trac.cakephp.org/ --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Cake PHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php -~--~~~~--~~--~--~---
