Re: security component

I was able to solve the first question myself:

In my controller actions I allways check if(this->data) before saving
or editing a record.
If variables are passed via get (harmfull link for example), $this-
>data is empty and nothing harmfull can happen.
In other words, without using post method its not possible to add or
edit a record.
Hence, security->requirePost just seems to be neccessary for the
delete actions.

Still, do I have to replace all delete links
with small forms which contain the authentication token?

On Aug 11, 5:54 pm, Özgür Demir <oet...@googlemail.com> wrote:
> Hi every body,
>
> I'm pretty sure this must have been answered somewhere. However I
> wasn't able to find an answer yet. I have two question regarding the
> security component.
>
> 1. Authentification tokens seem to be checked by the security
> component only if data is passed via post. I assume this since my
> delete action is performed through a delete link even if the action is
> protected by the security component. This makes the security component
> useless for CSRF without the use of security->requirePost(). Am I
> right with this?
>
> 2. Its obvious that my "add/edit" links are not working if using
> requirePost('add','edit'), I could solve this by adding
> requirePost('add','edit') only if data is submitted by the user like
> this:
>
> in beforeFilter
> if(this->data){
> security->requirePots('add,'edit')
>
> }
>
> But how do I handle the delete links? Do I have to replace all of them
> with small forms which contain the authentication token?
>
> Thanks for your help...

--
Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org
Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions.

To unsubscribe from this group, send email to
cake-php+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php