# |
Jun 21st 2021, 16:22 |
neon1024 |
I wondered if the third party don’t send the cookie if the request wouldn’t contain the session? Is that a thing? As it’s `$this ->getRequest()->getSession()` |
# |
Jun 21st 2021, 16:22 |
neon1024 |
If something external posts to my application, will the request not include the sesssion? I am writing data before forwarding a user off, and when they return I want to match stuff with the session from before they left, but it’s not preset |
# |
Jun 21st 2021, 15:47 |
kevin.pfeifer |
i see, thx :) |
# |
Jun 21st 2021, 15:47 |
ndm |
Not with regards to preventing absolute URLs from slipping in, no, `getLoginRedirect()` will prevent that just fine, it just needs to be actually used :) |
# |
Jun 21st 2021, 15:44 |
kevin.pfeifer |
so this isn’t an issue with the authentication plugin? I don’t have a “pure” authentication app ready to test it |
# |
Jun 21st 2021, 15:40 |
ndm |
You may want to open an issue with cakedc/users so that they can possibly fix it. |
# |
Jun 21st 2021, 15:35 |
kevin.pfeifer |
but isn't that exactly what is being discussed here? https://github.com/cakephp/authentication/issues/450 |
# |
Jun 21st 2021, 15:32 |
kevin.pfeifer |
I can confirm the external redirect from the `redirect_to=<url_encoded-URL>` param when using cakedc/users which is based on the authentication plugin |
# |
Jun 21st 2021, 14:36 |
a.vanniel |
we jumped on the Authentication middleware with version 1.x ... I guess we forgot to change this part for 2.x ... I feel a bit stupid now. |
# |
Jun 21st 2021, 14:31 |
ndm |
`getLoginRedirect()` was introduced with some early 1.x version I think, so at some point the docs were different. |
# |
Jun 21st 2021, 14:25 |
a.vanniel |
we actually used that page to build what we have now... has this been changed? or did we just mess things up at some point? |
# |
Jun 21st 2021, 14:25 |
ndm |
https://book.cakephp.org/authentication/2/en/index.html#building-a-login-action |
# |
Jun 21st 2021, 14:23 |
a.vanniel |
where do I find docs to do this properly ... or in other words, where do I find docs to read how this should be fixed? |
# |
Jun 21st 2021, 14:21 |
a.vanniel |
```$redirect = $this->request->getQuery('redirect', [ 'controller' => 'Pages', 'action' => 'display', 'home' ]);``` I think this must be old and has not been updated at some point... |
# |
Jun 21st 2021, 14:21 |
a.vanniel |
o dear... I just noticed something... |
# |
Jun 21st 2021, 14:20 |
ndm |
What does your redirect code look like? |
# |
Jun 21st 2021, 14:20 |
a.vanniel |
(running Authentication 2.6.1 by the way) |
# |
Jun 21st 2021, 14:19 |
a.vanniel |
might we have done something wrong on our end to allow redirect to go to an external page after loggin in? I just tried it again... came to https://www.our-site.com/users/login?redirect=%2F and I changed the redirect to https://www.some-evil-site.com/ and got redirected to the external site after logging in... |
# |
Jun 21st 2021, 14:17 |
a.vanniel |
odd... |
# |
Jun 21st 2021, 14:02 |
ndm |
Yes, it really should. https://github.com/cakephp/authentication/blob/2.6.1/tests/TestCase/AuthenticationServiceTest.php#L751-L755 |
# |
Jun 21st 2021, 13:59 |
a.vanniel |
@ndm really? because I manually changed redirect for the Authentication middleware plugin in the login page and after logging in, i was redirected to the google search engine landing page... Also, I am looking to do this in a place somewhere other then login ... it was just an example ... not meant to say there is a bug or security hole in there... I just was trying to figure out if and how that middleware handles external |
# |
Jun 21st 2021, 13:59 |
slackebot1 |
illegal urls. |
# |
Jun 21st 2021, 13:56 |
ndm |
Sorry, ment to tag @a.vanniel |
# |
Jun 21st 2021, 13:55 |
ndm |
@alexdd55976 Use the authentication component, `getLoginRedirect()` will only return relative URLs, if someone crams in an absolute URL (internal or external), you'd receive `null`. |
# |
Jun 21st 2021, 13:07 |
a.vanniel |
for now I did what you suggested regarding the host by the way... checking if the host in the redirect url (full) matches the current host... if not, it most likely isn't internal |
# |
Jun 21st 2021, 13:06 |
a.vanniel |
It would be great to have an isInternal method inside Router... I don't think many people actually need this though.. I will open an issue on github. see where it goes. good luck on your 2nd shot... I need to wait until 12th of juli for the 2nd one. |
# |
Jun 21st 2021, 13:01 |
kevin.pfeifer |
I would suggest you create an issue in the cakephp/cakephp repo. I dont know it/cant check right since im on my way to get my 2. vacine shot :) Or someone else can answer that ^^ |
# |
Jun 21st 2021, 12:22 |
a.vanniel |
What I don't really get, but there might some logic to this, is why the Google website counts as an existing route....? |
# |
Jun 21st 2021, 12:17 |
a.vanniel |
would normalize be able to help me out here? |
# |
Jun 21st 2021, 12:16 |
slackebot1 |
would like to prevent manipulation of the redirect param so that someone is not redirected anywhere externally after payment is done and after a user is coming back... the url is stored in the database for several reasons, one of which is because the payment provider is a pain in the behind about return urls. |
# |
Jun 21st 2021, 12:16 |
a.vanniel |
it's not that I would want this to be added to the middleware per se... it was more of a thing that I am using similar logic (redirect param) and after doing the thing, redirect the user to the redirect param and when I looked at the Authentication middleware I did not see any security in place to prevent someone/something from redirecting someone to something externally after a login... I am doing this after a payment and I |
# |
Jun 21st 2021, 12:11 |
kevin.pfeifer |
we could make that a configurable option |
# |
Jun 21st 2021, 12:11 |
kevin.pfeifer |
then that would have to be added to this function i guess https://github.com/cakephp/authentication/blob/de989c759937406f514a5a31313b36578005b07c/src/AuthenticationService.php#L360 |
# |
Jun 21st 2021, 12:09 |
a.vanniel |
maybe I am just making things more complex than need be but it feels like a securiy hole in the location I have this ?redirect= param... |
# |
Jun 21st 2021, 12:08 |
a.vanniel |
but that is when a user is about to or just has been redirected, right? |
# |
Jun 21st 2021, 12:07 |
kevin.pfeifer |
you could use https://github.com/cakephp/cakephp/blob/master/src/Routing/Router.php#L225 and catch the MissingRouteException |
# |
Jun 21st 2021, 12:07 |
a.vanniel |
alright... thing is that with the Authentication middleware, relative redirects are used, to make sure the param does not get too large I guess... |
# |
Jun 21st 2021, 12:06 |
a.vanniel |
I thought I'd take a look at Router::routeExists() but that actually returns true for external URLs. ... |
# |
Jun 21st 2021, 12:06 |
kevin.pfeifer |
to be fair, all the redirect param logic I know always uses absolute urls |
# |
Jun 21st 2021, 12:04 |
kevin.pfeifer |
well if you force your redirect param to be absoulte all the time then you can check that pretty easily with a parse_url |
# |
Jun 21st 2021, 11:59 |
a.vanniel |
I though I would check how the Authentication middleware handles this... but when you open a login screen, change the ?redirect= to something else and log in, you are then redirected to the external page I entered in ?redirect=... I had expected this would really force redirect to be local/matching route but it doesn't |
# |
Jun 21st 2021, 11:57 |
a.vanniel |
the latter might not work when a relative path unless the Router first qualifies the use given url ofcourse |
# |
Jun 21st 2021, 11:57 |
a.vanniel |
Basically I want to prevent someone (or something) from entering https://www.google.com in the ?redirect= , so that when they would hit refresh and after the form has been posted they would not be transported to https://www.google.com ... and where this google url is set, any other malicious url could be set and you could replace the user by any malicious script I guess. So I am conflicted between the "check if the url |
# |
Jun 21st 2021, 11:57 |
slackebot1 |
matches a route" and the "check for host" method... |
# |
Jun 21st 2021, 11:53 |
kevin.pfeifer |
so you want to know if a given URL matches any route in your app? Or are you happy if you check the host part of the url? |
# |
Jun 21st 2021, 11:47 |
a.vanniel |
Does anybody know if there is a way to filter a user supplied url? Basically what I would like to do is populate a query variable and I want to sanitize this variable so it does not contain an external url... I thought passing something to Router::url() would solve my problems but when I pass somethign like https://www.google.com to Router::url() I am just getting the same url back, instead I would have liked something like / |
# |
Jun 21st 2021, 11:47 |
slackebot1 |
or /pages/display/home to be returned. Is this as all possible? |
# |
Jun 21st 2021, 10:19 |
kevin.pfeifer |
@alamnaryab what are you trying to accomplish with that logic? As far as I know the `$connection->rollback();` only works for manually executed queries like ```$connection->execute('UPDATE articles SET published = ? WHERE id = ?', [true, 2]);``` If you go through the ORM with `$connection->Tags->save($tag)` you can’t rollback from that. But again, what are you trying to accomplish? |
# |
Jun 21st 2021, 09:16 |
kupe3b |
thansk @erwane |
# |
Jun 21st 2021, 07:59 |
erwane |
https://book.cakephp.org/4/en/views/helpers/form.html#creating-select-pickers |
# |
Jun 21st 2021, 07:59 |
erwane |
so `<?= $this->Form->control('fieldname', ['multiple' => 'checkbox', 'options' => $selectOptions]) ?>` |
# |
Jun 21st 2021, 07:58 |
erwane |
```Attributes for Select Pickers 'multiple' - If set to true allows multiple selections in the select picker. If set to 'checkbox', multiple checkboxes will be created instead. Defaults to null.``` |
# |
Jun 21st 2021, 07:38 |
kupe3b |
hello, when baking views, in many-to-many relations a <select> tag is generated with multi-selection enabled. Is there an easy way to make it generate list of checkboxes instead? |
# |
Jun 21st 2021, 06:43 |
erwane |
`displayField` ? |
# |
Jun 21st 2021, 06:40 |
paolo.bragagni |
hi I'm trying to get in form.twig the name of the 'title' in associated table. I mean the name of the default field used for 'title'. |
# |
Jun 21st 2021, 06:01 |
alamnaryab |
Good morning having issue with transactions https://book.cakephp.org/4/en/orm/database-basics.html#using-transactions ``` if ($this->request->is('post')) { $connection = ConnectionManager::get('default'); $connection->begin(); $tag = $connection->Tags->patchEntity($tag, $this->request->getData()); if ($connection->Tags->save($tag)) { |
# |
Jun 21st 2021, 06:01 |
slackebot1 |
$connection->rollback();//*********** this rollback is not working record is saved in DB $this->Flash->success(__('The tag has been saved.')); return $this->redirect(['action' => 'index']); } $this->Flash->error(__('The tag could not be saved. Please, try again.')); }``` |
# |
Jun 20th 2021, 17:13 |
ndm |
you're welcome |
# |
Jun 20th 2021, 17:13 |
amayer |
Thanks for pointing me down the right path @ndm! |
# |
Jun 20th 2021, 17:12 |
amayer |
Looks like `$config = ConnectionManager::getConfig('default'));` is what I was looking for! |
# |
Jun 20th 2021, 17:00 |
amayer |
I'll give the ConnectionManager thing a try. |
# |
Jun 20th 2021, 16:59 |
ndm |
well there you go :) |
# |
Jun 20th 2021, 16:59 |
ndm |
Some configuration is "consumed", meaning it is being removed from the config after reading, and then it's only available via the consumers, in your case the connections. Try `\Cake\DataSource\ConnectionManager::get('default')->getConfig()` |
# |
Jun 20th 2021, 16:59 |
amayer |
I may have found the issue... Looks like `Datasources` is being consumed in config/bootstrap.php |
# |
Jun 20th 2021, 16:50 |
amayer |
Hello, I am writing a plugin (composer package) and would like to retrieve the `Datasources.default` settings using `\Cake\Core\Configure::read()`, but it doesn't seem to have a value. All other settings in my config/app_local.php (main application, cakephp 4.2.7) seem to be there. Is there a reason I can't access `Datasources.default` from a plugin? |
# |
Jun 20th 2021, 13:14 |
ndm |
As you've done it in your snippet would be one way, it should work fine for date/time objects that are being casted to string. But as mentioned, your output looks like the default JSON encode format, the default to string format is i18n aware, and will never give you the format that's shown in your output. |
# |
Jun 20th 2021, 13:12 |
alamnaryab |
I need one format that is `yyyy-MM-dd HH:mm:ss` for any Language/Locale all the users are in same timezone, where and how can I set? |
# |
Jun 20th 2021, 13:10 |
ndm |
Indeed, it depends. If he'd need all output in the same format, then setting a default to string format could work just fine. But that's different from timezone conversions, the to string logic isn't aware of timezones, only of formats. All that being said, his snippet should have worked fine, so there must be something else to it. That example output looks like the default JSON encode format. |
# |
Jun 20th 2021, 13:02 |
kevin.pfeifer |
I was just thinking in the example of @alamnaryab where he just wants to show a different datetime format for a different language prefix. Instead of having to adjust all outputted datetime fields in the template there should be somse sort of global default which can be overwritten by e.g. a language prefix. sure it is all very customizable but as you said it all depends on the usecase ^^ |
# |
Jun 20th 2021, 12:56 |
ndm |
If you'd have dates with different timezones, you'd have to store that timezone in the DB alongside, and you'd have to come up with something on your own, a custom helper would be easy enough. |
# |
Jun 20th 2021, 12:55 |
ndm |
Yeah, it's called `outputTimezone` |
# |
Jun 20th 2021, 12:55 |
ndm |
Unfortunately proper documentation for this is lacking... it's a somewhat complicated topic, so that's not too surprising. It really depends on the requirements of your application, if for example all dates should be converted to the same timezone, the time helper has a config option for that IIRC. |
# |
Jun 20th 2021, 12:51 |
kevin.pfeifer |
so datetime fields for e.g. created and modified should be saved in UTC (therefore looking into the database via sql cli or phpmyadmin should show UTC values). But where in cakephp (in a multilingual setup) do I have to add the logic to show different formats and/or timezones? Is there a guide somewhere? |
# |
Jun 20th 2021, 12:46 |
ndm |
@kevin.pfeifer `DATETIME` columns can hold a timezone offset (not a timezone name) as of MySQL 8. CakePHP accepts such formats even for the default `DateTimeType` class, but it won't save it like that, only the `DateTimeTimezoneType` does, which however isn't automatically mapped. Also MySQL will not return the offset when doing a select, instead it will return the date with the offset subtracted. I haven't tried it yet, but I could |
# |
Jun 20th 2021, 12:46 |
slackebot1 |
imagine that this can make things extra annoying :) `TIMESTAMP` is converted from server/connection timezone to UTC on save, and from UTC to server/connection timezone on read (this is what the datasource config timezone would be used for). As always when this topic comes up, I'd like to mention that from my personal experience, I can only suggest to go UTC all the way, and convert to specific timezones on PHP/frontend level when |
# |
Jun 20th 2021, 12:46 |
slackebot1 |
required, even if it's more work. I never not ran into a hot steaming pile of trouble when doing timezone conversions for saving/reading. |
# |
Jun 20th 2021, 10:36 |
kevin.pfeifer |
i guess i am mixing up the `datetime` mysql field with the `timestamp` field timestamp is always utc, datetime can "save" timezones |
# |
Jun 20th 2021, 10:31 |
kevin.pfeifer |
As far as I know there are • the timezone the data is saved in the database (in a datetime column, or is this always UTC?) • the timezone setting present in the datasource config (which should be the same as the data saved in the database as far as I know) • the `setToStringFormat` from above • and there are view helpers as well to change the format for php datetime objects |
# |
Jun 20th 2021, 10:20 |
dereuromark |
localized output vs default (code/iso) output |
# |
Jun 20th 2021, 10:20 |
kevin.pfeifer |
Guess I have to go a bit deeper here to fully understand where date formats (and maybe timezones as well( are present and can/should be changed |
# |
Jun 20th 2021, 10:18 |
kevin.pfeifer |
I am sorry but what do you mean by "both" here? |
# |
Jun 20th 2021, 10:14 |
dereuromark |
at least when local date format != code one |
# |
Jun 20th 2021, 10:13 |
dereuromark |
because you are using it for both (which works, but is maybe not the best idea) |
# |
Jun 20th 2021, 10:10 |
kevin.pfeifer |
but then why does the `setToStringFormat` work for me without that helper? |
# |
Jun 20th 2021, 09:43 |
dereuromark |
most bake templates have that properly built in, though, https://github.com/dereuromark/cakephp-setup/blob/master/templates/bake/Template/view.twig#L95 etc |
# |
Jun 20th 2021, 09:42 |
dereuromark |
the string casting default format is mainly for code output (e.g. in json formatting) |
# |
Jun 20th 2021, 09:39 |
dereuromark |
if you want to format it, you should use Time helper here |
# |
Jun 20th 2021, 04:45 |
alamnaryab |
In view `<td><?= h($entityRow->created) ?></td>` |
# |
Jun 19th 2021, 23:59 |
greg138 |
They are being formatted incorrectly in your views? If so, please show an example of how you are outputting it. Or it's formatted incorrectly in the data (e.g. entities) you're loading from the database? |
# |
Jun 19th 2021, 21:18 |
kevin.pfeifer |
well one thing I can tell you is the fact, that your datetime output above is ISO8601 (which I guess is the default format being outputted by cakephp) |
# |
Jun 19th 2021, 21:04 |
alamnaryab |
yes, it is default ar, I have multilangual site but datetime I need in `yyy-MM-dd HH:mm:ss` format from database fields |
# |
Jun 19th 2021, 20:58 |
kevin.pfeifer |
have you set your `App.defaultLocale` to something special in your `config/app_local.php` (or the `config/.env` file if you are using it) |
# |
Jun 19th 2021, 20:52 |
alamnaryab |
yes |
# |
Jun 19th 2021, 20:50 |
kevin.pfeifer |
so like the outputted `$entity->created` datetime in your frontend didn’t change? |
# |
Jun 19th 2021, 20:46 |
alamnaryab |
I wrote this at end of bootstrap.php ``` Time::setToStringFormat('HH:mm:ss'); FrozenTime::setToStringFormat('HH:mm:ss'); Date::setToStringFormat('yyyy-MM-dd HH:mm:ss'); FrozenDate::setToStringFormat('yyyy-MM-dd HH:mm:ss'); ``` but still date from database is showing like `2015-09-26T18:58:40+04:00` |
# |
Jun 19th 2021, 20:30 |
kevin.pfeifer |
but be aware if you want to set the date format yourself (not using the preconfigured constants) with something like `'Y-m-d H:i:s'` because these “letters” are not your typically PHP date variables. Instead this is used here: http://userguide.icu-project.org/formatparse/datetime |
# |
Jun 19th 2021, 20:25 |
kevin.pfeifer |
this should be added to your `config/bootstrap.php` at the bottom |
# |
Jun 19th 2021, 20:23 |
kevin.pfeifer |
https://book.cakephp.org/4/en/core-libraries/time.html#setting-the-default-locale-and-format-string |
# |
Jun 19th 2021, 20:15 |
alamnaryab |
Using Cakephp 4 what is better way to change dateformat, datetimeformat at project level? |
# |
Jun 19th 2021, 18:51 |
admad |
yes |