security - Why doesn't unlockedActions override requireAuth in CakePHP? -
in cake 2.3 app, have action that's called via ajax. since i'm using security component, had utilize $this->security->unlockedactions, otherwise action fail.
however, unlockactions doesn't work when $this->security->requireauth() called. bug? have misunderstanding of how cakephp handles security?
why doesn't unlockactions override requireauth?
securitycomponent::requireauth() adds action array of required actions, stored in securitycomponent::$requireauth.
if take @ security component's startup code, you'll find securitycomponent::_authrequired(), method checks $requireauth array, called before unlocked actions checked. imagine if require action authorized, should take precedence on telling app doesn't.
i still consider bug (or incorrectly documented), states in documentation:
there may cases want disable security checks action (ex. ajax request). may "unlock" these actions listing them in $this->security->unlockedactions in beforefilter.
this new feature might open ticket explaining confusion , see core team thinks it.
i should note here disabling security component ajax requests isn't necessary. have several apps utilize security component, along csrf checks, side-by-side ajax.
security cakephp
No comments:
Post a Comment