Disable the Security Component in CakePHP only for Certain Actions

Wednesday, August 26. 2009

As I'm working on a desktop application that needs to connect to the database backend, and CakePHP provides an awesome mechanism for REST or AJAX communication (as well as data validation), I decided to have my desktop application talk directly through the Cake interface to do its magic.

Unfortunately, I was also using CakePHP's rather secure Security component to prevent XSS/CSRF attacks. The problem is that because the desktop application was directly accessing the method with data and bypassing CakePHP's FormHelper automatically created (and Security Component friendly) rendered HTML, it was failing (and because it wouldn't even get to the action since the Security Component was set in the AppController, I couldn't even use $this->log($this, LOG_DEBUG) to see what was happening).

After searching for a good 30 minutes or so, I came across this archived Google Group post by franky06l:
I updated this to only be used in my specific controller's action, as so:
Voila! It now works as expected.

Note: One will need to be extra cautious when disabling the Security Component. The Security Component takes care of a lot of issues for us automatically, by disabling it, you're opening yourself up to some possible troubles. Extra precaution is recommended, and I relinquish myself from any use of the above code that may cause harm - use at your own peril (or absolute need)! :-D

Geschrieben von Brendon Kozlowski Abgelegt in PHP.
Comments (3) Trackbacks (0)
Sie können einen Kommentar hinterlassen, oder ein Trackback von Ihrem eigenen Blog senden.

Trackbacks


Trackback specific URI for this entry
    No Trackbacks

Comments


    #1 destinydriven on 01/05/11 at 05:05 AM [Reply]
    Thank you so much for this snippet. Works like its supposed to. Just one observation though, in the 'if' statements, $this->action is actually being set because of the single '=' so we need to have if(... $this->action == 'myaction').
    #1.1 Brendon Kozlowski on 01/05/11 at 03:48 PM [Reply]
    I'm glad it helped you out. Thank you for commenting - also thank you for informing me of the code errors. I fixed it in my code and forgot to fix it in the copy/paste of it here. Thanks! (It's now been fixed in the above article.)
    #2 plonk on 11/10/11 at 01:42 PM [Reply]
    thx for your article.
    in some cases you can just turn off parts of the security component, f.e.

    $this->Security->validatePost = false;

Add Comment

E-Mail addresses will not be displayed and will only be used for E-Mail notifications.

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA

BBCode format allowed