Skip to content
This repository
Browse code

use new onlyAllow() method in baked code, to ensure 405 responses hav…

…e required Allow header included
  • Loading branch information...
commit 27d83eedfe4b3a3e6bb93a3336f0c3d82ea2255a 1 parent 17ba713
ceeram authored August 25, 2012
12  lib/Cake/Console/Templates/default/actions/controller_actions.ctp
@@ -47,10 +47,12 @@
47 47
 /**
48 48
  * <?php echo $admin ?>add method
49 49
  *
  50
+ * @throws MethodNotAllowedException
50 51
  * @return void
51 52
  */
52 53
 	public function <?php echo $admin ?>add() {
53  
-		if ($this->request->is('post')) {
  54
+		if ($this->request->data) {
  55
+			$this->request->onlyAllow('post');
54 56
 			$this-><?php echo $currentModelName; ?>->create();
55 57
 			if ($this-><?php echo $currentModelName; ?>->save($this->request->data)) {
56 58
 <?php if ($wannaUseSession): ?>
@@ -86,6 +88,7 @@
86 88
 /**
87 89
  * <?php echo $admin ?>edit method
88 90
  *
  91
+ * @throws MethodNotAllowedException
89 92
  * @throws NotFoundException
90 93
  * @param string $id
91 94
  * @return void
@@ -95,7 +98,8 @@
95 98
 		if (!$this-><?php echo $currentModelName; ?>->exists()) {
96 99
 			throw new NotFoundException(__('Invalid <?php echo strtolower($singularHumanName); ?>'));
97 100
 		}
98  
-		if ($this->request->is('post') || $this->request->is('put')) {
  101
+		if ($this->request->data) {
  102
+			$this->request->onlyAllow('post', 'put');
99 103
 			if ($this-><?php echo $currentModelName; ?>->save($this->request->data)) {
100 104
 <?php if ($wannaUseSession): ?>
101 105
 				$this->Session->setFlash(__('The <?php echo strtolower($singularHumanName); ?> has been saved'));
@@ -137,9 +141,7 @@
137 141
  * @return void
138 142
  */
139 143
 	public function <?php echo $admin; ?>delete($id = null) {
140  
-		if (!$this->request->is('post')) {
141  
-			throw new MethodNotAllowedException();
142  
-		}
  144
+		$this->request->onlyAllow('post', 'delete');
143 145
 		$this-><?php echo $currentModelName; ?>->id = $id;
144 146
 		if (!$this-><?php echo $currentModelName; ?>->exists()) {
145 147
 			throw new NotFoundException(__('Invalid <?php echo strtolower($singularHumanName); ?>'));
6  lib/Cake/Test/Case/Console/Command/Task/ControllerTaskTest.php
@@ -353,7 +353,8 @@ public function testBakeActionsUsingSessions() {
353 353
 		$this->assertContains("\$this->set('bakeArticle', \$this->BakeArticle->read(null, \$id)", $result);
354 354
 
355 355
 		$this->assertContains('function add()', $result);
356  
-		$this->assertContains("if (\$this->request->is('post'))", $result);
  356
+		$this->assertContains("if (\$this->request->data)", $result);
  357
+		$this->assertContains("\$this->request->onlyAllow('post')", $result);
357 358
 		$this->assertContains('if ($this->BakeArticle->save($this->request->data))', $result);
358 359
 		$this->assertContains("\$this->Session->setFlash(__('The bake article has been saved'));", $result);
359 360
 
@@ -392,7 +393,8 @@ public function testBakeActionsWithNoSessions() {
392 393
 		$this->assertContains("\$this->set('bakeArticle', \$this->BakeArticle->read(null, \$id)", $result);
393 394
 
394 395
 		$this->assertContains('function add()', $result);
395  
-		$this->assertContains("if (\$this->request->is('post'))", $result);
  396
+		$this->assertContains("if (\$this->request->data)", $result);
  397
+		$this->assertContains("\$this->request->onlyAllow('post')", $result);
396 398
 		$this->assertContains('if ($this->BakeArticle->save($this->request->data))', $result);
397 399
 
398 400
 		$this->assertContains("\$this->flash(__('The bake article has been saved.'), array('action' => 'index'))", $result);

8 notes on commit 27d83ee

José Lorenzo Rodríguez
Owner

I'm not sure this is a good change. data can be empty but still be a POST request

José Lorenzo Rodríguez
Owner

Moreover, those methods also accept GET so it would be inaccurate to respond to browser that method only accepts POST

Mark
Collaborator

yeah, the delete method makes sense, but the rest is debatable.

ceeram
Collaborator

propose to partial remove and keep in delete: cc92717

Mark
Collaborator

@ceeram: i guess you could first check on valid post/delete before actually checking for exists() in the db on delete. so the initial order was good for me.

ceeram
Collaborator

I dont agree, if you get methodnotallowed then change method to same uri suddenly you could get 404
if the resource does not exist, your should always get 404, and only get 405 when it exists but wrong method

Mark Story
Owner

@ceeram I think the change in cc92717 is a good compromise that better communicates how delete() methods should be used, and doesn't tell half truths for add() and edit().

ceeram
Collaborator

cherry-picked the commit to 2.3: abe74ad

Please sign in to comment.
Something went wrong with that request. Please try again.