On Mon, Oct 27, 2014 at 10:38 PM, Florian Krämer wrote:
> I've turned the idea into an implementation. Proof of concept goes here:
> https://github.com/burzum/cakephp/commit/9d8f6b4cb7653dd14130af68dbc632e9055d8d76
>
> Cool! I will try this out...
Tarique
--
Like Us on FaceBook https://www.f
tober 19, 2014 12:26:44 AM UTC+2, glk wrote:
>
> Florian... What a wonderful idea.
>
> Just wish I understood all of Cake well enough to help implement. I've
> fought with the Security Component many times and, although I've never
> lost, it has created many headache
Florian... What a wonderful idea.
Just wish I understood all of Cake well enough to help implement. I've
fought with the Security Component many times and, although I've never
lost, it has created many headaches. Hope the Development team can add
this functionality during
Mark wouldn't it be possible to keep track of these changes somehow via
debug kit? Save the original keys to session and then do the same
comparison with the data that the security component does but without the
hashing but an array diff instead?
On Friday, September 12, 2014 4:32:32 AM
hat was generated in the past.
>
> -Mark
>
>
> On Monday, 8 September 2014 21:47:05 UTC-4, #2Will wrote:
>>
>> I've got an app i have been maintaining for a while now. The security
>> component causes more headaches than anything else. In fact, because
>
app i have been maintaining for a while now. The security
> component causes more headaches than anything else. In fact, because
> cakephp is so nice to work with, i think Security Component (SC) causes all
> the headaches...
>
> I've read through the docs a fair bit, i have bits of
a
>>>> multi-select for selecting the associated users.
>>>>
>>>> In PromotionsTable::
>>>> public function initialize(array $config) {
>>>> $this->table('promotions');
>>>> $this->displayField('name');
>>>> $this-&g
;s awkward having it and then not using it. Once the site gets
hacked, ill have to stand at the front and tell all the others why i didn't
use the security component.
I do a lot of other stuff to white list fields etc to mitigate this (and
the site gets penetration tested and hasn't been
;ve got an app i have been maintaining for a while now. The security
> component causes more headaches than anything else. In fact, because
> cakephp is so nice to work with, i think Security Component (SC) causes all
> the headaches...
>
> I've read through the docs a fai
I've got an app i have been maintaining for a while now. The security
component causes more headaches than anything else. In fact, because
cakephp is so nice to work with, i think Security Component (SC) causes all
the headaches...
I've read through the docs a fair bit, i have bi
=> 'user_id',
> ]);
> $this->belongsToMany('Users', [
> 'foreignKey' => 'promotion_id',
> 'targetForeignKey' => 'user_id',
> 'joinTable' => 'promotions_users',
> ]);
> }
>
> Data s
he associated users.
>>>
>>> In PromotionsTable::
>>> public function initialize(array $config) {
>>> $this->table('promotions');
>>> $this->displayField('name');
>>> $this->primaryKey('id');
>>>
&
ing the associated users.
>>
>> In PromotionsTable::
>> public function initialize(array $config) {
>> $this->table('promotions');
>> $this->displayField('name');
>> $this->primaryKey('id');
>>
>> $this-
rs', [
> 'foreignKey' => 'user_id',
> ]);
> $this->belongsToMany('Users', [
> 'foreignKey' => 'promotion_id',
> 'targetForeignKey' => 'user_id',
> 'joinTable' => 'promotions_users&#
#x27;);
$this->displayField('name');
$this->primaryKey('id');
$this->belongsTo('Users', [
'foreignKey' => 'user_id',
]);
$this->belongsToMany('Users', [
'foreignKey' => 'promotion_id',
'targetForeignKey'
@Jose: good to know ... logical cause of the dropped table was someone
getting their hands on the database login credentials.
@Dakota: thanks, will keep an eye out for that, not that it's a factor in
this situation.
On Friday, June 13, 2014 4:52:22 AM UTC+1, Dakota wrote:
>
> Just one thing to
Just one thing to note is that the updateall method doesn't do all escaping.
--
Like Us on FaceBook https://www.facebook.com/CakePHP
Find us on Twitter http://twitter.com/CakePHP
---
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To unsubscribe from
11:36:00 UTC+1, José Lorenzo wrote:
>>
>> No, the security component does not prevent you against that. There most
>> be some place where you are passing raw input into a query.
>>
>> On Thursday, June 12, 2014 1:28:03 AM UTC+2, phpMagpie wrote:
>>>
>>
f SQL Injection.
Thanks, Paul.
On Thursday, 12 June 2014 11:36:00 UTC+1, José Lorenzo wrote:
>
> No, the security component does not prevent you against that. There most
> be some place where you are passing raw input into a query.
>
> On Thursday, June 12, 2014 1:28:03 AM UT
No, the security component does not prevent you against that. There most be
some place where you are passing raw input into a query.
On Thursday, June 12, 2014 1:28:03 AM UTC+2, phpMagpie wrote:
>
> Hi,
>
> I've just launched a site for a client that had quite a big form in
Yeah, everything is done via Model::save() and your understanding is the
same as mine.
If anyone does know otherwise would be good to know.
Thanks, Paul.
On Thursday, 12 June 2014 01:17:12 UTC+1, Reuben wrote:
>
> I thought it would more depend on how you are writing changes to the
> databas
I thought it would more depend on how you are writing changes to the
database.
If you're going via the model, with ::create and ::save methods, then users
"shouldn't" be able to inject a truncate or drop. I say "shouldn't"
because that is my understanding of how it is supposed to work, but I
Hi,
I've just launched a site for a client that had quite a big form in it that
people were spending a long time trying to complete. Because some people
were walking away form the form then coming back later and trying to submit
their security tokens were expiring so the client asked me to dis
Check the Code
http://api.cakephp.org/2.4/source-class-SecurityComponent.html#322-338
Blackholing is nothing more than throwing a BadRequestException or
triggering a callback.
I would not use an exception in that place.
On Friday, December 27, 2013 7:37:24 PM UTC+1, advantage+ wrote:
>
> Is th
I want to make action requests more secure by implementing the Restricting
HTTP methods { requirePost(),requireGet(), requirePut(), requireDelete()}
but running into a bit of an issue.
For an add request for example via ajax I have to fetch the form (get) and
load it into the colorbox, and save
Is there a way to force call blackhole based on model validation rules?
I have a validation method that I would like to call the blackhole if it
fails.
Thanks,
Dave
--
Like Us on FaceBook https://www.facebook.com/CakePHP
Find us on Twitter http://twitter.com/CakePHP
---
You received th
Hi Friends,
Can anyone help me out with this , i have a edit form with security
component ,
it needs to be submitted two times i have checked in console , in form
security component hidden token METHOD IN by default PUT ,
when i click submit first time it changes to post ,then second time
In any of the controller files if I call the Security component (not doing
anything beyond that), certain pages of my website crash.
Here's what I have currently for $components. The site works fine with this:
> var $components = array('Auth','Session','E
My solution is to receive the post via one action then redirect to the log in
action. Security::unlockedActions doesn't seem to work though (I must be doing
it wrong?); I have to check for the initial action and disable the Security
component. After the redirect the action is different, s
I'm using 2.3 beta and the Security component.
I have a site that is posting data to a controller action but the Security
component blocks the request; so I don't get $this->request->data and the
code fails.
If I disable the Security component in beforeFilter for this actio
I am struggling with the exact same problem..
If anyone have a suggestion???
see:
http://stackoverflow.com/questions/11869336/cakephp-2-1-making-a-jquery-ajax-call-with-security-component-activated
-Tom
kl. 21:41:18 UTC+1 torsdag 8. desember 2011 skrev porangi.chris følgende:
>
> Hi,
&
Nobody has an idea?
--
Our newest site for the community: CakePHP Video Tutorials
http://tv.cakephp.org
Check out the new CakePHP Questions site http://ask.cakephp.org and help others
with their CakePHP related questions.
To unsubscribe from this group, send email to
cake-php+unsubscr...@goo
only when Security component is included in
AppController.php.
Here is sample code:
/*file app/Controller/AppController.php*/
array('Jquery'),
'Form',
'Session'
);
public $components = array(
'S
Thanks, Jeremy. I think I'm going to opt for roughly the same thing. Use my
pushSSL() function - analogous to your __unforceSSL() - on all controllers
that don't require SSL, then use the switching style for those that do
require SSL.
It just seems weird to me that they have a function in Secur
Here's how I did this on an app (this is 1.3 but I'd guess it'd be fairly easy
to transpose to 2.0 if needed).
In app_controller create a function:
function __requireSecure() {
... conditions to check
... return true if SSL is needed
... r
Can anyone help me out, here?
--
Our newest site for the community: CakePHP Video Tutorials
http://tv.cakephp.org
Check out the new CakePHP Questions site http://ask.cakephp.org and help others
with their CakePHP related questions.
To unsubscribe from this group, send email to
cake-php+unsub
Here's what I don't get about the Security Component: if there's an option
to use the blackholeCallback for requireSecure, why is there no option to
provide a callback for anything else?
I'm using this system as outlined in the book to force SSL on certain
actions. But I&#x
pm, Miles J wrote:
> Yeah I ran into this as well, Jose has the correct answer.
>
> https://github.com/milesj/cake-ajax_handler/blob/master/Controller/Co...
>
> On Dec 8, 12:54 pm, José Lorenzo wrote:
>
>
>
>
>
>
>
> > set 'validatePost' => false
Yeah I ran into this as well, Jose has the correct answer.
https://github.com/milesj/cake-ajax_handler/blob/master/Controller/Component/AjaxHandlerComponent.php#L84
On Dec 8, 12:54 pm, José Lorenzo wrote:
> set 'validatePost' => false for the security component in that action
set 'validatePost' => false for the security component in that action
--
Our newest site for the community: CakePHP Video Tutorials
http://tv.cakephp.org
Check out the new CakePHP Questions site http://ask.cakephp.org and help others
with their CakePHP related questions.
To uns
Hi,
I'm having issues with running Ajax and the security component
alongside each other. Security works fine on the other forms. Ajax
works fine if Security is commented out.
Security is included in the App Controller alongside other components
'Security
I have also tried $this->Users->Components->disable('Security');
On Nov 18, 1:55 pm, elitalon wrote:
> I am trying to test a CakePHP action that deals with a signup form
> secured with the `Security` component. I have configured the component
> in a UsersControll
I am trying to test a CakePHP action that deals with a signup form
secured with the `Security` component. I have configured the component
in a UsersController like this:
public $components = array(
'Security' => array('unlockedFields' =>
array('password_
omething, lock up their PC and go home for the night. When they
>> come back in they'll unlock their PC and want to pick up where they
>> left off. If they were in the middle of some data management with
>> forms using the security component, the form will look like it's rea
they'll unlock their PC and want to pick up where they
> left off. If they were in the middle of some data management with
> forms using the security component, the form will look like it's ready
> to go, they'll enter some more data and hit submit but they will be
> immed
off. If they were in the middle of some data management with
forms using the security component, the form will look like it's ready
to go, they'll enter some more data and hit submit but they will be
immediately blackholed. All they will see is a blank screen and think
'bug'. Wh
Thanks a lot Jens,
I think I'll model it this way. Perhaps using a small ajax popup which
contains the token instead of a new frame just asking if the record
should be deleted.
On 13 Aug., 13:03, Jens Dittrich wrote:
> No or it depends on what you want to happen when a delete link is clicked.
>
No or it depends on what you want to happen when a delete link is clicked.
No one forces you to commit a delete on a click on a link. As an example,
you could always display a page requesting a confirm for the delete request,
which could carry a token for that request. That way you could not del
t;
> I'm pretty sure this must have been answered somewhere. However I
> wasn't able to find an answer yet. I have two question regarding the
> security component.
>
> 1. Authentification tokens seem to be checked by the security
> component only if data is passed via post
Hi every body,
I'm pretty sure this must have been answered somewhere. However I
wasn't able to find an answer yet. I have two question regarding the
security component.
1. Authentification tokens seem to be checked by the security
component only if data is passed via post. I assume
Hi Cake Community,
Cakephp Version: 1.3.8
OS: Windows7
Experience: Newbie
I have a generel problem with the security component.
1.) well, i have following actions(add, edit) in my controller. If i
call in beforeFilter(), like this, $this->Security-
>requireAuth('add'), the requi
m: cake-php@googlegroups.com [mailto:cake-php@googlegroups.com] On Behalf
>
> Of Mariano C.
> Sent: Wednesday, April 06, 2011 7:17 AM
> To: CakePHP
> Subject: Re: Security component and HTTP Basic Authentication
>
> I don't need a complete mechanism of authentication.
> I
zero sense...have you read your own question?
-Original Message-
From: cake-php@googlegroups.com [mailto:cake-php@googlegroups.com] On Behalf
Of Mariano C.
Sent: Wednesday, April 06, 2011 7:17 AM
To: CakePHP
Subject: Re: Security component and HTTP Basic Authentication
I don't n
component and HTTP Basic Authentication
So I need in couple Auth and Security component?
On 6 Apr, 09:54, "Krissy Masters" wrote:
> $this->Auth->allowedActions = array(); //will allow nothing
>
> $this->Auth->allowedActions = array('login'); //only allow the a
o I need in couple Auth and Security component?
>
> On 6 Apr, 09:54, "Krissy Masters" wrote:
>
>
>
>
>
>
>
> > $this->Auth->allowedActions = array(); //will allow nothing
>
> > $this->Auth->allowedActions = array('login');
So I need in couple Auth and Security component?
On 6 Apr, 09:54, "Krissy Masters" wrote:
> $this->Auth->allowedActions = array(); //will allow nothing
>
> $this->Auth->allowedActions = array('login'); //only allow the action in the
> array
>
> T
ge-
From: cake-php@googlegroups.com [mailto:cake-php@googlegroups.com] On Behalf
Of Mariano C.
Sent: Wednesday, April 06, 2011 5:13 AM
To: CakePHP
Subject: Security component and HTTP Basic Authentication
I've read this article
http://book.cakephp.org/view/1309/Basic-HTTP-Authentication
N
I've read this article
http://book.cakephp.org/view/1309/Basic-HTTP-Authentication
Now I've a lot of controller with many actions to protect, so I could
consider the idea to insert that beforeFilter directly inside
AppController (and not in the single controller), so every action will
be protecte
t;> attributes should be writable when it comes to a save. I'm using the
>> Security component which ensures that nobody tampers with my forms
>> (e.g. adding a new input field), so I guess I don't need $whitelist
>> anymore, right?
>>
>> Thanks for you
e tells a model, which
> attributes should be writable when it comes to a save. I'm using the
> Security component which ensures that nobody tampers with my forms
> (e.g. adding a new input field), so I guess I don't need $whitelist
> anymore, right?
>
> Thanks for your opinio
Hey everybody
to my knowledge, the $whitelist attribute tells a model, which
attributes should be writable when it comes to a save. I'm using the
Security component which ensures that nobody tampers with my forms
(e.g. adding a new input field), so I guess I don't need $whitelist
anym
r83 wrote:
>> Hey everybody
>>
>> I just noticed that when I'm having an empty dropdown list and send
>> it, then its key in the data (e.g. data[Comment][post_id]) goes
>> missing, and I get a blank screen (probably because the Security
>> component thinks the
On Thu, Dec 30, 2010 at 4:12 PM, psybear83 wrote:
> Hey everybody
>
> I just noticed that when I'm having an empty dropdown list and send
> it, then its key in the data (e.g. data[Comment][post_id]) goes
> missing, and I get a blank screen (probably because the Security
&g
Hey everybody
I just noticed that when I'm having an empty dropdown list and send
it, then its key in the data (e.g. data[Comment][post_id]) goes
missing, and I get a blank screen (probably because the Security
component thinks the form was manually changed).
Is this normal? Is there a fi
Hello,
I try to use the security component in cakePHP 1.3 and want to combine
the requirements to establish an SSL connection with a simple security
login.
First I want to redirect to a secure connection. Then transmitting the
password should be okay.
Both methods work fine as long as long as I
Right on thanks for that bit.
I am not modifying any of the forms, simply AJAX submit.
But 1 thing that has me puzzled was I added Security component, used firebug
to edit the hash value, change a few field names / values and it still
submitted fine (no blackholes) so that where I was getting
:hussein_elhar...@yahoo.com]
> Sent: November-09-10 4:36 AM
> To: CakePHP
> Subject: Re: Security Component
>
> sorry man but who told you that security component and AJAX do not
> work?
>
> On Nov 8, 10:18 pm, "Dave Maharaj" wrote:
> > Ok from what I have read usi
ll
and will not work.
Im simply sending forms ajax with jquery.form pluging
All my stuff works that’s why im wondering.
-Original Message-
From: robust solution [mailto:hussein_elhar...@yahoo.com]
Sent: November-09-10 4:36 AM
To: CakePHP
Subject: Re: Security Component
sorry man but who to
sorry man but who told you that security component and AJAX do not
work?
On Nov 8, 10:18 pm, "Dave Maharaj" wrote:
> Ok from what I have read using Security Component with AJAX request will not
> work.
>
> So I never added it to my app_controller, then today I decided lets
It has been a while but usually the response would just be empty, even
if I was setting data.
On Nov 8, 3:49 pm, "Dave Maharaj" wrote:
> All my responses are JSON with true / false then do something like you said.
> I was just curious as everything I seem to have found says Secu
All my responses are JSON with true / false then do something like you said.
I was just curious as everything I seem to have found says Security
Component will not work so just trying to get an answer on what exactly
"will not work" means.
? The component will add the Token / hash b
ot; wrote:
> Ok from what I have read using Security Component with AJAX request will not
> work.
>
> So I never added it to my app_controller, then today I decided lets see what
> happens so sure enough my forms all get the security div
>
> name="_method"> value
Ok from what I have read using Security Component with AJAX request will not
work.
So I never added it to my app_controller, then today I decided lets see what
happens so sure enough my forms all get the security div
Now just for fun I tested my forms that use ajax and they all submit
is->action.
> Or better:
>
> if(isset($this->Security) && 'myaction' == $this->action) {
> $this->Security->enabled = false;
>
> --
> View this message in context:
> http://cakephp.19694.n2.nabble.com/how-to-disable-security-component-for-a-sin
php.19694.n2.nabble.com/how-to-disable-security-component-for-a-single-action-tp682715p5716405.html
Sent from the CakePHP mailing list archive at Nabble.com.
Check out the new CakePHP Questions site http://cakeqs.org and help others with
their CakePHP related questions.
You received this mes
i always hated the security component for that
had similar issues some time ago.
debugging is almost impossible^^
at least in debug > 0 it should not blackhole completely (but maybe
throw some errors or whatever)
if there is such an option i didnt find it yet
On 20 Okt., 22:43, austin wrote:
orm helper and am not using javascript. My question was "how do you debug an
> issue with the Security component?".
>
> Jeremy Burns
> Class Outfit
>
> jeremybu...@classoutfit.comhttp://www.classoutfit.com
>
> On 18 Sep 2010, at 21:33, bwelli...@gmail.com wrote:
Yup - I know all this and if you read the post you'll see that I am using the
form helper and am not using javascript. My question was "how do you debug an
issue with the Security component?".
Jeremy Burns
Class Outfit
jeremybu...@classoutfit.com
http://www.classoutfit.com
On
When using the Security Component you must use the FormHelper to
create your forms. The Security Component looks for certain indicators
that are created and managed by the FormHelper (especially those
created in create() and end()). Dynamically altering the fields that
are submitted in a POST
> }
>
> On Sep 16, 11:53 pm, Jeremy Burns wrote:
>> Is it possible to exclude a single controller action from the Security
>> component? At present I have $this->Security->validatePost = false; in
>> the controller's beforeFilter, which means that all actions
if ($this->action == 'foobar') {
$this->Security->validatePost = false;
}
On Sep 16, 11:53 pm, Jeremy Burns wrote:
> Is it possible to exclude a single controller action from the Security
> component? At present I have $this->Security->validatePost = false; in
Is it possible to exclude a single controller action from the Security
component? At present I have $this->Security->validatePost = false; in
the controller's beforeFilter, which means that all actions are
insecure.
Check out the new CakePHP Questions site http://cakeqs.org and help
our-Forms-With-The-Security-Component
>
> On Sep 8, 8:03 am, Jeremy Burns wrote:
>> I have enabled the Security component in my app_controller and mostly
>> this works just fine. But I have one particular view that falls into
>> the blackhole when its form is posted.
Are you creating input fields without the form helper?
http://milesj.me/blog/read/43/Protecting-Your-Forms-With-The-Security-Component
On Sep 8, 8:03 am, Jeremy Burns wrote:
> I have enabled the Security component in my app_controller and mostly
> this works just fine. But I have one part
I have enabled the Security component in my app_controller and mostly
this works just fine. But I have one particular view that falls into
the blackhole when its form is posted. It works fine if I type $this-
>Security->validatePost = false; into the beforeFilter() of the
controller.
I can
Your welcome. :)
On Jul 30, 5:32 pm, Tomatosoup wrote:
> A bit late though, but thanks!
>
> On 11 jul, 03:48, nurvzy wrote:
>
>
>
> > Set the security component to not validate that field.
>
> >http://book.cakephp.org/view/1297/Configuration
>
> > Hope
A bit late though, but thanks!
On 11 jul, 03:48, nurvzy wrote:
> Set the security component to not validate that field.
>
> http://book.cakephp.org/view/1297/Configuration
>
> Hope that helps,
> Nick
>
> On Jul 10, 1:28 pm, Tomatosoup wrote:
>
>
>
> > He
Set the security component to not validate that field.
http://book.cakephp.org/view/1297/Configuration
Hope that helps,
Nick
On Jul 10, 1:28 pm, Tomatosoup wrote:
> Hello,
>
> I use the Security component, but one (kind of custom) form gets
> invalidated.
>
> Is there some
Hello,
I use the Security component, but one (kind of custom) form gets
invalidated.
Is there some way to validate an invalidated (because of the token the
Security component generates) form?
Because I have an edit page in which I have a DIV that acts as a Rich
Text Editor. Whenever one clicks
Hi all,
I looked up in the cake core code and found that there are to methods
that generate the fields hash. The first is in the form helper and
generates the fields hash that's displayed at the end of the form. The
second one generates a fields hash based on the submitted fields in
the Security C
Hi,
I've a problem using cake's security component when my field names are
integer. For example I've several checkboxes named:
data[MyModel][1]
data[MyModel][2]
data[MyModel][3]
When I activate the security component, the validation of the post
data failes. The fields are properly
remy Burns
jeremybu...@me.com
On 28 Feb 2010, at 11:32, Jeremy Burns wrote:
> I worked it out. In my cache there were two views for the same page. One
> called sitename.php, the other called sitename_pages_home.php. They are of
> course both from the same source. However, it seems as if the Se
I worked it out. In my cache there were two views for the same page. One called
sitename.php, the other called sitename_pages_home.php. They are of course both
from the same source. However, it seems as if the Security component didn't
like both of them being present. I cleared the cach
I have the Security component in my app_controller's $components
array. The home page of a site has a simple text field to accept some
data. When the form is submitted it is parsed through a controller
with a very simple add function. This form submission is being
intercepted and blackholed b
I did manage to solve it and directly after I had posted this! I
retained the ...
"echo $form->create('Product', array('action'=>'edit/'.$this->data
['Product']['id']));" on "list.ctp".
I changed the link on "edit.ctp" to a verbose link without the "id"
i.e. $form->create('Product', array('action'=
I may be wrong in this, but im pretty sure the requirePost() is only
supposed to be used once. It should only be used on the initial
request of the page, not subsequently after.
Why would you have that page require a post to access? And not just
turn it back to a link? It doesn't solve any problem
I have a test CakePHP Application that lists various products on a
single page called "views/products/index.ctp".
To start with each product had an "Edit" link that targeted action
"products/edit/".
This worked fine.
I then added "$this->Security->requirePost('edit');".
I replaced the link on "ind
Yes the security component adds a hidden token/timer within the forms.
Their is a time limit that black holes if you sit on the page too
long. Not sure if you can configure it. Try doing a search within the
Security component.
On Jan 18, 8:43 pm, Stinkbug wrote:
> Just checking to see if any
Just checking to see if anyone has any recommendations on this before
I start implementing something myself.
On Dec 16 2009, 10:49 pm, Stinkbug wrote:
> I've been using the security component for quite some time, but there
> is one issue that I've never been able to figure out w
I've been using the security component for quite some time, but there
is one issue that I've never been able to figure out with it.
When I have a form and the user takes a while to fill it out, it will
get blackholed. I'm guesing the security component is using a session
some
1 - 100 of 237 matches
Mail list logo
