我的书签
添加书签
移除书签FormProtection
Like all components it is configured through several configurable parameters.All of these properties can be set directly or through setter methods of thesame name in your controller’s initialize() or beforeFilter() methods.
If you are using other components that process form data in their startup()callbacks, be sure to place FormProtection Component before those componentsin your initialize() method.
Note
When using the FormProtection Component you must use the FormHelper to createyour forms. In addition, you must not override any of the fields’ “name”attributes. The FormProtection Component looks for certain indicators that arecreated and managed by the FormHelper (especially those created in and). Dynamically alteringthe fields that are submitted in a POST request (e.g. disabling, deletingor creating new fields via JavaScript) is likely to cause the form tokenvalidation to fail.
- Form’s action (URL) cannot be modified.
- Unknown fields cannot be added to the form.
- Fields cannot be removed from the form.
- Values in hidden inputs cannot be modified.
Preventing these types of tampering is accomplished by working with the FormHelperand tracking which fields are in a form. The values for hidden fields aretracked as well. All of this data is combined and turned into a hash and hiddentoken fields are automatically be inserted into forms. When a form is submitted,the FormProtectionComponent will use the POST data to build the same structureand compare the hash.
Note
The FormProtectionComponent will not prevent select options from beingadded/changed. Nor will it prevent radio options from being added/changed.
Configuring the security component is generally done in the controller’s or beforeFilter() callbacks
- Set to
falseto completely skip the validation of POSTrequests, essentially turning off form validation. - unlockedFields
- Set to a list of form fields to exclude from POST validation. Fields can beunlocked either in the Component, or with
FormHelper::unlockField(). Fields that have been unlocked arenot required to be part of the POST and hidden unlocked fields do not havetheir values checked. - unlockedActions
- Actions to exclude from POST validation checks.
- Callback to call in case of validation failure. Must be a valid Closure.Unset by default in which case exception is thrown on validation failure.
The above example would disable form tampering prevention for admin prefixedroutes.
There may be cases where you want to disable form tampering prevention for anaction (ex. AJAX requests). You may “unlock” these actions by listing them in$this->Security->unlockedActions in your :
This example would disable all security checks for the edit action.
If form protection validation fails it will result in a 400 error by default.You can configure this behavior by setting the validationFailureCallbackconfiguration option to a callback function in the controller.
