Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

Merge pull request #750 from tigrang/security-component-enhancement

Added `disabledActions` feature to SecurityComponent
  • Loading branch information...
commit 1ff63758ad40b2d61d8153fe60c02ead01000ef9 2 parents 57c495f + 617d470
@lorenzo lorenzo authored
View
15 lib/Cake/Controller/Component/SecurityComponent.php
@@ -130,6 +130,13 @@ class SecurityComponent extends Component {
public $unlockedFields = array();
/**
+ * Actions to exclude from any security checks
+ *
+ * @var array
+ */
+ public $unlockedActions = array();
+
+/**
* Whether to validate POST data. Set to false to disable for data coming from 3rd party
* services, etc.
*
@@ -218,13 +225,11 @@ public function startup(Controller $controller) {
$controller->request->params['requested'] != 1
);
- if ($isPost && $isNotRequestAction && $this->validatePost) {
- if ($this->_validatePost($controller) === false) {
+ if (!in_array($this->_action, (array)$this->unlockedActions) && $isPost && $isNotRequestAction) {
+ if ($this->validatePost && $this->_validatePost($controller) === false) {
return $this->blackHole($controller, 'auth');
}
- }
- if ($isPost && $isNotRequestAction && $this->csrfCheck) {
- if ($this->_validateCsrf($controller) === false) {
+ if ($this->csrfCheck && $this->_validateCsrf($controller) === false) {
return $this->blackHole($controller, 'csrf');
}
}
View
14 lib/Cake/Test/Case/Controller/Component/SecurityComponentTest.php
@@ -1372,4 +1372,18 @@ public function testCsrfLimit() {
$this->assertTrue(isset($result['4']));
$this->assertTrue(isset($result['5']));
}
+
+/**
+ * Test unlocked actions
+ *
+ * @return void
+ */
+ public function testUnlockedActions() {
+ $_SERVER['REQUEST_METHOD'] = 'POST';
+ $this->Controller->request->data = array('data');
+ $this->Controller->Security->unlockedActions = 'index';
+ $this->Controller->Security->blackHoleCallback = null;
+ $result = $this->Controller->Security->startup($this->Controller);
+ $this->assertNull($result);
+ }
}
Please sign in to comment.
Something went wrong with that request. Please try again.