Fix Token fields being added to GET forms.

They are not used so there is not much point in appending them. Fixes #3565
cakephp · Jan 25, 2013 · ce7f85a · ce7f85a
1 parent e4f241d
commit ce7f85a
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 2 deletions.
diff --git a/lib/Cake/Test/Case/View/Helper/FormHelperTest.php b/lib/Cake/Test/Case/View/Helper/FormHelperTest.php
@@ -723,6 +723,23 @@ public function testCreateWithSecurity() {
 		$this->assertTags($result, $expected);
 	}
 
+/**
+ * testFormCreateGetNoSecurity method
+ *
+ * Test form->create() with no security key as its a get form
+ *
+ * @return void
+ */
+	public function testCreateEndGetNoSecurity() {
+		$this->Form->request['_Token'] = array('key' => 'testKey');
+		$encoding = strtolower(Configure::read('App.encoding'));
+		$result = $this->Form->create('Contact', array('type' => 'get', 'url' => '/contacts/add'));
+		$this->assertNotContains('Token', $result);
+
+		$result = $this->Form->end('Save');
+		$this->assertNotContains('Token', $result);
+	}
+
 /**
  * test that create() clears the fields property so it starts fresh
  *

diff --git a/lib/Cake/View/Helper/FormHelper.php b/lib/Cake/View/Helper/FormHelper.php
@@ -433,7 +433,9 @@ public function create($model = null, $options = array()) {
 		$htmlAttributes = array_merge($options, $htmlAttributes);
 
 		$this->fields = array();
-		$append .= $this->_csrfField();
+		if ($this->requestType !== 'get') {
+			$append .= $this->_csrfField();
+		}
 
 		if (!empty($append)) {
 			$append = $this->Html->useTag('block', ' style="display:none;"', $append);
@@ -504,7 +506,11 @@ public function end($options = null) {
 			}
 			$out .= $this->submit($submit, $submitOptions);
 		}
-		if (isset($this->request['_Token']) && !empty($this->request['_Token'])) {
+		if (
+			$this->requestType !== 'get' &&
+			isset($this->request['_Token']) &&
+			!empty($this->request['_Token'])
+		) {
 			$out .= $this->secure($this->fields);
 			$this->fields = array();
 		}