Permalink
Browse files

Fix Token fields being added to GET forms.

They are not used so there is not much point in appending them.

Fixes #3565
  • Loading branch information...
1 parent e4f241d commit ce7f85abe8e54352ad8ad38425ce20e1aac794ec @markstory markstory committed Jan 25, 2013
Showing with 25 additions and 2 deletions.
  1. +17 −0 lib/Cake/Test/Case/View/Helper/FormHelperTest.php
  2. +8 −2 lib/Cake/View/Helper/FormHelper.php
@@ -724,6 +724,23 @@ public function testCreateWithSecurity() {
}
/**
+ * testFormCreateGetNoSecurity method
+ *
+ * Test form->create() with no security key as its a get form
+ *
+ * @return void
+ */
+ public function testCreateEndGetNoSecurity() {
+ $this->Form->request['_Token'] = array('key' => 'testKey');
+ $encoding = strtolower(Configure::read('App.encoding'));
+ $result = $this->Form->create('Contact', array('type' => 'get', 'url' => '/contacts/add'));
+ $this->assertNotContains('Token', $result);
+
+ $result = $this->Form->end('Save');
+ $this->assertNotContains('Token', $result);
+ }
+
+/**
* test that create() clears the fields property so it starts fresh
*
* @return void
@@ -433,7 +433,9 @@ public function create($model = null, $options = array()) {
$htmlAttributes = array_merge($options, $htmlAttributes);
$this->fields = array();
- $append .= $this->_csrfField();
+ if ($this->requestType !== 'get') {
+ $append .= $this->_csrfField();
+ }
if (!empty($append)) {
$append = $this->Html->useTag('block', ' style="display:none;"', $append);
@@ -504,7 +506,11 @@ public function end($options = null) {
}
$out .= $this->submit($submit, $submitOptions);
}
- if (isset($this->request['_Token']) && !empty($this->request['_Token'])) {
+ if (
+ $this->requestType !== 'get' &&
+ isset($this->request['_Token']) &&
+ !empty($this->request['_Token'])
+ ) {
$out .= $this->secure($this->fields);
$this->fields = array();
}

0 comments on commit ce7f85a

Please sign in to comment.