Permalink
Browse files

Starting to update SecurityComponent.

  • Loading branch information...
1 parent 0c3c6e5 commit be6a2e096f64e98efe60dd69fb499524b123a1b1 @markstory markstory committed Jun 9, 2011
Showing with 16 additions and 9 deletions.
  1. +16 −9 lib/Cake/Controller/Component/SecurityComponent.php
@@ -112,7 +112,8 @@ class SecurityComponent extends Component {
public $allowedActions = array();
/**
- * Form fields to disable
+ * Form fields to exclude from POST validation. Fields can be disabled
+ * either in the Component, or with FormHelper::disableField()
*
* @var array
* @access public
@@ -402,20 +403,22 @@ protected function _validatePost($controller) {
}
$data = $controller->request->data;
- if (!isset($data['_Token']) || !isset($data['_Token']['fields'])) {
+ if (!isset($data['_Token']) || !isset($data['_Token']['fields']) || !isset($data['_Token']['disabled'])) {
return false;
}
- $locked = null;
+ $locked = '';
$check = $controller->request->data;
$token = urldecode($check['_Token']['fields']);
+ $disabled = urldecode($check['_Token']['disabled']);
if (strpos($token, ':')) {
list($token, $locked) = explode(':', $token, 2);
}
unset($check['_Token']);
$locked = explode('|', $locked);
+ $disabled = explode('|', $disabled);
$lockedFields = array();
$fields = Set::flatten($check);
@@ -432,15 +435,17 @@ protected function _validatePost($controller) {
$fieldList += array_unique($multi);
}
+ $disabledFields = array_unique(array_merge((array)$this->disabledFields, $disabled));
+
foreach ($fieldList as $i => $key) {
$isDisabled = false;
$isLocked = (is_array($locked) && in_array($key, $locked));
- if (!empty($this->disabledFields)) {
- foreach ((array)$this->disabledFields as $disabled) {
- $disabled = explode('.', $disabled);
- $field = array_values(array_intersect(explode('.', $key), $disabled));
- $isDisabled = ($field === $disabled);
+ if (!empty($disabledFields)) {
+ foreach ($disabledFields as $off) {
+ $off = explode('.', $off);
+ $field = array_values(array_intersect(explode('.', $key), $off));
+ $isDisabled = ($field === $off);
if ($isDisabled) {
break;
}
@@ -454,11 +459,13 @@ protected function _validatePost($controller) {
}
}
}
+ sort($disabled, SORT_STRING);
sort($fieldList, SORT_STRING);
ksort($lockedFields, SORT_STRING);
$fieldList += $lockedFields;
- $check = Security::hash(serialize($fieldList) . Configure::read('Security.salt'));
+ $disabled = implode('|', $disabled);
+ $check = Security::hash(serialize($fieldList) . $disabled . Configure::read('Security.salt'));
return ($token === $check);
}

0 comments on commit be6a2e0

Please sign in to comment.