Fixing issues with CSRF token failure and requestAction.

Fixes #1900
cakephp · Aug 13, 2011 · 3014d3f · 3014d3f
1 parent 1df8de6
commit 3014d3f
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 3 deletions.
diff --git a/lib/Cake/Controller/Component/SecurityComponent.php b/lib/Cake/Controller/Component/SecurityComponent.php
@@ -203,17 +203,17 @@ public function startup($controller) {
 		$this->_authRequired($controller);
 
 		$isPost = ($this->request->is('post') || $this->request->is('put'));
-		$isRequestAction = (
+		$isNotRequestAction = (
 			!isset($controller->request->params['requested']) ||
 			$controller->request->params['requested'] != 1
 		);
 
-		if ($isPost && $isRequestAction && $this->validatePost) {
+		if ($isPost && $isNotRequestAction && $this->validatePost) {
 			if ($this->_validatePost($controller) === false) {
 				return $this->blackHole($controller, 'auth');
 			}
 		}
-		if ($isPost && $this->csrfCheck) {
+		if ($isPost && $isNotRequestAction && $this->csrfCheck) {
 			if ($this->_validateCsrf($controller) === false) {
 				return $this->blackHole($controller, 'csrf');
 			}

diff --git a/lib/Cake/Test/Case/Controller/Component/SecurityComponentTest.php b/lib/Cake/Test/Case/Controller/Component/SecurityComponentTest.php
@@ -1036,6 +1036,23 @@ public function testBlackHoleNotDeletingSessionInformation() {
 		$this->assertTrue($this->Controller->Security->Session->check('_Token'), '_Token was deleted by blackHole %s');
 	}
 
+/**
+ * test that csrf checks are skipped for request action. 
+ *
+ * @return void
+ */
+	public function testCsrfSkipRequestAction() {
+		$_SERVER['REQUEST_METHOD'] = 'POST';
+
+		$this->Security->validatePost = false;
+		$this->Security->csrfCheck = true;
+		$this->Security->csrfExpires = '+10 minutes';
+		$this->Controller->request->params['requested'] = 1;
+		$this->Security->startup($this->Controller);
+
+		$this->assertFalse($this->Controller->failed, 'fail() was called.');
+	}
+
 /**
  * test setting 
  *