| # |
Nov 14th 2017, 09:55 |
 meowcate |
Same here |
| # |
Nov 14th 2017, 09:42 |
neon1024 |
Morning everyone! :slightly_smiling_face: |
| # |
Nov 14th 2017, 08:55 |
admad |
gtg |
| # |
Nov 14th 2017, 08:55 |
admad |
instead of relying on security token, use 'fieldList' https://book.cakephp.org/3.0/en/orm/saving-data.html#avoiding-property-mass-assignment-attacks |
| # |
Nov 14th 2017, 08:52 |
admad |
a solution even if achievable would be too complicated and not worth the maintenance effort |
| # |
Nov 14th 2017, 08:51 |
sniedermaier |
ok, so i take a workaround and submit to a different url via ajax and use the action for the preview ... but would be nice, if we could get this as an improvement to FormHelper/SecurityComponent |
| # |
Nov 14th 2017, 08:49 |
admad |
the security token includes the URL to submit to, so it's not possible to generate a token which can be valid for more than one action url |
| # |
Nov 14th 2017, 08:49 |
sniedermaier |
val=null and val=false doesn't remove the value either ;) |
| # |
Nov 14th 2017, 08:48 |
admad |
meh nvm it won't work either |
| # |
Nov 14th 2017, 08:47 |
admad |
also better to use form->submit() to generate input type=submit |
| # |
Nov 14th 2017, 08:46 |
admad |
no, val => null or false so that "value" attribute isnt generated at all |
| # |
Nov 14th 2017, 08:46 |
birdy247 |
:slightly_smiling_face: |
| # |
Nov 14th 2017, 08:45 |
sniedermaier |
@admad `$this->Form->control('preview', ['val' => '']);`? |
| # |
Nov 14th 2017, 08:44 |
admad |
the price you pay for using windows :slightly_smiling_face: |
| # |
Nov 14th 2017, 08:43 |
birdy247 |
morning rant over |
| # |
Nov 14th 2017, 08:43 |
birdy247 |
bloody windows fall update killing my vagrant |
| # |
Nov 14th 2017, 08:43 |
birdy247 |
Hey @admad |
| # |
Nov 14th 2017, 08:43 |
admad |
moin birdy |
| # |
Nov 14th 2017, 08:42 |
admad |
i have a feeling it will |
| # |
Nov 14th 2017, 08:42 |
birdy247 |
morning |
| # |
Nov 14th 2017, 08:42 |
admad |
@sniedermaier regarding https://github.com/cakephp/cakephp/issues/11427 does submit to /url2 work if you remove "value" from input with id = "preview" ? |
| # |
Nov 14th 2017, 08:40 |
sniedermaier |
ok, i'll rework the code ;) thanks |
| # |
Nov 14th 2017, 08:37 |
admad |
regardless don't redirect on server side for ajax requests |
| # |
Nov 14th 2017, 08:35 |
sniedermaier |
its not for success/failure. I have dozens of page contents and a controller for each "type" (identified by a db col). the first controller checks for which specific controller handles the "action" something like "Pages" redirects to "NewsPage", "ProductPage" and so on |
| # |
Nov 14th 2017, 08:32 |
admad |
"I'm using a Controller to redirect to an other controller wihch has the form in its template" your mean using $this->redirect() for ajax request? If so don't do that. Check for success/failure on client side and do redirect there |
| # |
Nov 14th 2017, 08:27 |
admad |
the cookie is the "source of truth" and holds value to compare against. So the value for comparing needs to be either in POST data or X-CSRF-Token header |
| # |
Nov 14th 2017, 08:21 |
sniedermaier |
@admad found the problem I'm using a Controller to redirect to an other controller wihch has the form in its template. The redirect kills the _csrfToken-Param which is needed to create the input for it. Is there any reason why the param is used and not the Cookie? |
| # |
Nov 14th 2017, 08:07 |
slackebot2 |
type="hidden"></div> <div class="hidden"> <input name="_csrfToken" value="258038723e6b8b25e3ab26c3b155191bc36749dff14c38884a1044489d405be91d96d9c003eca5027e2993788dfb3fd74cbb0e3f75eb66699cddb8b919c60f12"> </div>``` |
| # |
Nov 14th 2017, 08:07 |
sniedermaier |
@admad when i open the `form` in its own window (not using ajax) the field is there ``` <form method="post" accept-charset="utf-8" role="form" action="/content/menus/pagetree/136"><div class="hidden"><input name="_method" value="PUT" type="hidden"><input name="_csrfToken" autocomplete="off" value="258038723e6b8b25e3ab26c3b155191bc36749dff14c38884a1044489d405be91d96d9c003eca5027e2993788dfb3fd74cbb0e3f75eb66699cddb8b919c60f12" |
| # |
Nov 14th 2017, 07:57 |
sniedermaier |
its on Cake 3.5.5 |
| # |
Nov 14th 2017, 07:56 |
sniedermaier |
well, yea, that's what i expect too ... FormStart `echo $this->Form->create($pageContent);` Markup: `<form method="post" accept-charset="utf-8" role="form" action="/content/menus/pagetree/136"><div class="hidden"><input name="_method" value="PUT" type="hidden"></div>` |
| # |
Nov 14th 2017, 07:52 |
admad |
a form created using form helper should already have csrf token field |
| # |
Nov 14th 2017, 07:16 |
sniedermaier |
I'm loading a form via ajax into my page and using POST to send the form data to a new tab. I'm getting a csrf-Token mismatch, cause the field is missing in my form (I'm using `$this->Form->create()`). Any explanation why this happens? Do i have to add the CSRF-field manually? |
| # |
Nov 14th 2017, 05:55 |
ono-t |
:sunny: |
| # |
Nov 14th 2017, 04:41 |
admad |
String is a protected keyword in php 7. Use CakeText instead |
| # |
Nov 14th 2017, 04:20 |
aro |
This is on PHP 7, is it not supported? |
| # |
Nov 14th 2017, 04:20 |
aro |
i am using cake 2.10.4, and i am getting an error: Class 'String' not found |
| # |
Nov 14th 2017, 02:45 |
thomasnucleus |
How can I actually debug issues with my pdf generation with Cakepdf? I' |
| # |
Nov 14th 2017, 01:51 |
voycey |
But generally if you need it in one place you will need it in several eventually - so there are things like this that make it easy: https://github.com/UseMuffin/Trash |
| # |
Nov 14th 2017, 01:46 |
voycey |
but basically you can just force it to not find deleted records - you dont have to test for it do you? |
| # |
Nov 14th 2017, 01:45 |
voycey |
^im lying - I did in the table as a finder |