10

FINALLY found the solution:

If anyone have this problem put this in your beforefilter.

$this->Security->unlockedActions = array('givestar');

And update libs to Cake 2.3

The problem:

I am struggling with the SECURITY component blackholing me on my ajax calls.

var id = 1;

$.ajax({
    type: "post",
    url: "/messages/givestar/",
    data: {"id" : id},
    dataType: "json"
 });

I am only trying to send the ID for the controller to update the message where id=id

But Security component is Blackholing me on all my ajax calls.

Anyone know how I can make it work with security component activated??

Thanks!

You are awesome!

-Tom

Suggestions????

UPDATE2 I get an AUTH error from blackhole after some testing.

From Book: 
‘auth’ Indicates a form validation error, or a controller/action mismatch error.

I have double checked all ACO nodes, they are good. I am leaning against a FORM VALIDATION ERROR from Security component on my ajax call.

UPDATE:

AppController.php

public $components = array(
        'Acl',
        'Auth',
        'Session',
    'Security',
    'Cookie'
    );
public function beforeFilter() {
    $this->Security->blackHoleCallback = 'blackhole';
}
public function blackhole($type) {
     $this->Session->setFlash(__('ERROR: %s',$type), 'flash/error');
}

MessagesController.php

 public $components = array('RequestHandler');

        public function beforeFilter() {
            parent::beforeFilter();
        }

public function givestar() {
        $this->autoRender = false;
            if ($this->request->is('ajax')) {

                echo 'Working';
            }
        return;
    }
Tom
  • 3,717
  • 5
  • 26
  • 28
  • security component activated?? means you want to encrypt the `id` or hide it in the ajax call ? – coolguy Aug 08 '12 at 17:01
  • http://book.cakephp.org/2.0/en/core-libraries/components/security-component.html – Tom Aug 08 '12 at 17:04
  • aahhh my bad. Im not a cake php guy ..Im with Zend framework+Jquery.There are plenty of Cakephp experts in SO..you will find what you need shortly :) – coolguy Aug 08 '12 at 17:06
  • I do not want to encrypt anything, but security component is protecting every POST from tampering. I have read about serializing the ajax call and using json to get past this, but I am not sure how to do it... Thanks anyway :) – Tom Aug 08 '12 at 17:07

2 Answers2

7

In beforefilter:

$this->Security->unlockedActions = array('givestar');
Tom
  • 3,717
  • 5
  • 26
  • 28
2

SecurityComponent line 396:

if (!isset($controller->request->data['_Token'])) {
    if (!$this->blackHole($controller, 'auth')) {
        return null;
    }
}

So I guess if You want to secure this action You must send data with additional generated '_Token' key. This key is generated using Form->secure($fields) method (acctualy method generates hidden inputs with proper values).

krzysiek
  • 71
  • 3