1

I am using the Security component in my AppController. I need to build a check form input that will allow custom formatting of each item in the list. To accomplish this, I am processing each item in the $options set using a foreach and creating the new element like so:

foreach ($fileTypes as $fileType_key => $fileType_value) {
   echo $this->Form->input(
      'FilesIncluded.' . $fileType_key, 
         array(
            'type' => 'checkbox', 
            'value' => $fileType_key,
            'label' => false, 
            'div' => false,
            'before' => '<span class="checkbox clearfix"><span class="check">',
            'after' => '</span><label for="add-product-check-sub-cat">' . $fileType_value . '</label></span>',
            'hiddenField' => false,
         )
      );
}

There is a few things to note:

  1. I am setting each check box to data[FilesIncluded][{UUID}] (where UUID actually represents the UUID pf the FilesIncluded) instead of data[FilesIncluded][]
  2. FilesIncluded is not part of the form model, so it will appear in $this->request->data as $this->request->data['FilesIncluded'] instead of $this->request->data['Model']['column']

What I am trying to figure out is why this throws an auth security risk? When I change the field name from 'FilesIncluded.' . $fileType_key to something with a counter in it like 'FilesIncluded.' . $count . '.id', it seems to work without throwing any security auth errors. Any ideas how to make this work the way I am expecting it to?

UPDATE:

The other issue is being able to maintain a fixed set of FileTypes. For example, I want to be able to control the HABTM records that can be selected from the checkbox. For example, I will display this list: http://cl.ly/image/0b1Q3C0d0w1Y

And only when the user selects the records will they be stored as hasMany. Then when it comes time to edit, I want to not only be able to show the same set of records, but then have them associated to the records the user saved.

Chuck Burgess
  • 11,600
  • 5
  • 41
  • 74

1 Answers1

2

(Probable) Cause

You're probably getting the Security error, because you're disabling the hiddenField for the checkboxes. The Security components checks if a Submitted Form is valid (i.e. not tampered with) by calculating a checksum, based on the names of the Form fields, when creating the form and comparing this with the data received when submitting the form.

By suppressing the hiddenField, the checkbox will not be present in the posted data if it is not checked (Non-checked checkboxes are never sent in HTML forms). As explained above, CakePHP calculates a checksum based on the fields/inputs it expects and the actual fields (data) it receives. By disabling the hiddenField, the checksum calculated from the posted data will depend on wether a checkbox was checked or not, which will invalidate the posted data

Workarounds

There may be some Workarounds;

  • Do not suppress the 'hiddenField' This will make sure that the checkboxes will always be present in the posted data. If a checkbox is not checked, the value of the checkbox will be 0 (zero). If the checkbox is checked, its posted value will be the specified value of the checkbox (or 1 if no value is specified)

  • Exclude your custom inputs from the checksum. You can exclude fields from the checksum via $this->Form->unlockField('fieldname');. CakePHP will ignore those inputs when calculating the Security checksum.

Documentation: FormHelper::unlockField()

Notes

Although these Workarounds may help, I'd suggest to not re-invent the wheel. By changing the names of your inputs, you're no longer following the CakePHP conventions. Sticking to the conventions often saves you a lot of time.

For example, saving related data can be performed with a single Model::saveAssociated() call. If your Model-relations are properly set, for example:

Document->hasMany->UserFiles, then CakePHP will insert/update both the Document and UserFiles data automatically.

Read the documentation here Saving Related Model Data (hasOne, hasMany, belongsTo)

Community
  • 1
  • 1
thaJeztah
  • 27,738
  • 9
  • 73
  • 92
  • Thanks for the update! However, if there are no records saved and I want to show 6 default options that they can choose from, how do I make that work correctly? Meaning, the FileTypes are predefined options (PHP, PSD, HTML, IMAGE, DOC, CSS, JS). I want them to display to the user as being able to be selected, but only when they checked will they be saved in the hasMany? Then on the flip side, when they ARE checked, the edit form will be able to display them correctly too? (see updated post) – Chuck Burgess Apr 16 '13 at 22:33
  • I would prefer to do this the correct way, however I am having trouble determining how to do so when the fields are a predefined list of options vs something the user can just add themselves. – Chuck Burgess Apr 16 '13 at 22:38
  • Yes, that is the idea of HABTM, for example `User <-HABTM-> Filetype` Filetype contains a list of FileType-records. Every selected Filetype, will add a record in the `JOIN-table` (filetypes_users) for *that* user. If the formFields are named correctly, you just use `Model::save()` and all will be saved. For this, Read [Saving Related Model Data (HABTM)](http://book.cakephp.org/2.0/en/models/saving-your-data.html#saving-related-model-data-habtm) – thaJeztah Apr 16 '13 at 22:42
  • This question may give some info as well: http://stackoverflow.com/questions/10428233/cakephp-2-1-saving-habtm-fields. If your Filetype model is called 'Filetype', the checkboxes have to be named `Filetype.Filetype.x' where 'x' is a numeric index in the FormHelper (I'm not behind my computer, so not able to fully check) – thaJeztah Apr 16 '13 at 22:48
  • Thanks you for unclogging my brain! I know now what I need to do. I have a hasMany association for a limited set of data. What I need to do is build a HABTM association and tie associated data to it. Thanks! – Chuck Burgess Apr 16 '13 at 22:49
  • It is *not* always easy, but once you got the hang of it, you get used to the conventions of CakePHP. Try it, look what happens and don't be afraid to check the source of CakePHP itself to understand how it handles things. Good luck! – thaJeztah Apr 16 '13 at 22:52