Permalink
Browse files

use new onlyAllow() method in baked code, to ensure 405 responses hav…

…e required Allow header included
  • Loading branch information...
ceeram committed Aug 24, 2012
1 parent 17ba713 commit 27d83eedfe4b3a3e6bb93a3336f0c3d82ea2255a
@@ -47,10 +47,12 @@
/**
* <?php echo $admin ?>add method
*
+ * @throws MethodNotAllowedException
* @return void
*/
public function <?php echo $admin ?>add() {
- if ($this->request->is('post')) {
+ if ($this->request->data) {
+ $this->request->onlyAllow('post');
$this-><?php echo $currentModelName; ?>->create();
if ($this-><?php echo $currentModelName; ?>->save($this->request->data)) {
<?php if ($wannaUseSession): ?>
@@ -86,6 +88,7 @@
/**
* <?php echo $admin ?>edit method
*
+ * @throws MethodNotAllowedException
* @throws NotFoundException
* @param string $id
* @return void
@@ -95,7 +98,8 @@
if (!$this-><?php echo $currentModelName; ?>->exists()) {
throw new NotFoundException(__('Invalid <?php echo strtolower($singularHumanName); ?>'));
}
- if ($this->request->is('post') || $this->request->is('put')) {
+ if ($this->request->data) {
+ $this->request->onlyAllow('post', 'put');
if ($this-><?php echo $currentModelName; ?>->save($this->request->data)) {
<?php if ($wannaUseSession): ?>
$this->Session->setFlash(__('The <?php echo strtolower($singularHumanName); ?> has been saved'));
@@ -137,9 +141,7 @@
* @return void
*/
public function <?php echo $admin; ?>delete($id = null) {
- if (!$this->request->is('post')) {
- throw new MethodNotAllowedException();
- }
+ $this->request->onlyAllow('post', 'delete');
$this-><?php echo $currentModelName; ?>->id = $id;
if (!$this-><?php echo $currentModelName; ?>->exists()) {
throw new NotFoundException(__('Invalid <?php echo strtolower($singularHumanName); ?>'));
@@ -353,7 +353,8 @@ public function testBakeActionsUsingSessions() {
$this->assertContains("\$this->set('bakeArticle', \$this->BakeArticle->read(null, \$id)", $result);
$this->assertContains('function add()', $result);
- $this->assertContains("if (\$this->request->is('post'))", $result);
+ $this->assertContains("if (\$this->request->data)", $result);
+ $this->assertContains("\$this->request->onlyAllow('post')", $result);
$this->assertContains('if ($this->BakeArticle->save($this->request->data))', $result);
$this->assertContains("\$this->Session->setFlash(__('The bake article has been saved'));", $result);
@@ -392,7 +393,8 @@ public function testBakeActionsWithNoSessions() {
$this->assertContains("\$this->set('bakeArticle', \$this->BakeArticle->read(null, \$id)", $result);
$this->assertContains('function add()', $result);
- $this->assertContains("if (\$this->request->is('post'))", $result);
+ $this->assertContains("if (\$this->request->data)", $result);
+ $this->assertContains("\$this->request->onlyAllow('post')", $result);
$this->assertContains('if ($this->BakeArticle->save($this->request->data))', $result);
$this->assertContains("\$this->flash(__('The bake article has been saved.'), array('action' => 'index'))", $result);

8 comments on commit 27d83ee

@lorenzo

This comment has been minimized.

Show comment
Hide comment
@lorenzo

lorenzo Aug 25, 2012

Member

I'm not sure this is a good change. data can be empty but still be a POST request

Member

lorenzo replied Aug 25, 2012

I'm not sure this is a good change. data can be empty but still be a POST request

@lorenzo

This comment has been minimized.

Show comment
Hide comment
@lorenzo

lorenzo Aug 25, 2012

Member

Moreover, those methods also accept GET so it would be inaccurate to respond to browser that method only accepts POST

Member

lorenzo replied Aug 25, 2012

Moreover, those methods also accept GET so it would be inaccurate to respond to browser that method only accepts POST

@dereuromark

This comment has been minimized.

Show comment
Hide comment
@dereuromark

dereuromark Aug 25, 2012

Member

yeah, the delete method makes sense, but the rest is debatable.

Member

dereuromark replied Aug 25, 2012

yeah, the delete method makes sense, but the rest is debatable.

@ceeram

This comment has been minimized.

Show comment
Hide comment
@ceeram

ceeram Aug 25, 2012

Member

propose to partial remove and keep in delete: cc92717

Member

ceeram replied Aug 25, 2012

propose to partial remove and keep in delete: cc92717

@dereuromark

This comment has been minimized.

Show comment
Hide comment
@dereuromark

dereuromark Aug 25, 2012

Member

@ceeram: i guess you could first check on valid post/delete before actually checking for exists() in the db on delete. so the initial order was good for me.

Member

dereuromark replied Aug 25, 2012

@ceeram: i guess you could first check on valid post/delete before actually checking for exists() in the db on delete. so the initial order was good for me.

@ceeram

This comment has been minimized.

Show comment
Hide comment
@ceeram

ceeram Aug 25, 2012

Member

I dont agree, if you get methodnotallowed then change method to same uri suddenly you could get 404
if the resource does not exist, your should always get 404, and only get 405 when it exists but wrong method

Member

ceeram replied Aug 25, 2012

I dont agree, if you get methodnotallowed then change method to same uri suddenly you could get 404
if the resource does not exist, your should always get 404, and only get 405 when it exists but wrong method

@markstory

This comment has been minimized.

Show comment
Hide comment
@markstory

markstory Aug 25, 2012

Member

@ceeram I think the change in cc92717 is a good compromise that better communicates how delete() methods should be used, and doesn't tell half truths for add() and edit().

Member

markstory replied Aug 25, 2012

@ceeram I think the change in cc92717 is a good compromise that better communicates how delete() methods should be used, and doesn't tell half truths for add() and edit().

@ceeram

This comment has been minimized.

Show comment
Hide comment
@ceeram

ceeram Aug 26, 2012

Member

cherry-picked the commit to 2.3: abe74ad

Member

ceeram replied Aug 26, 2012

cherry-picked the commit to 2.3: abe74ad

Please sign in to comment.