| # |
Jun 30th 2019, 17:34 |
 st.steinkuehler |
Policies are always needed with this plugin |
| # |
Jun 30th 2019, 17:33 |
st.steinkuehler |
@ndm Thanks, I figured it out by now. This small paragraph has helped https://book.cakephp.org/authorization/1.1/en/component.html#automatic-authorization-checks and also this answer https://stackoverflow.com/a/53494211 |
| # |
Jun 30th 2019, 17:27 |
ndm |
@st.steinkuehler I'm not yet overly familiar with the plugin, but as far as I understand, all permissions are resolved by policies. For controllers and actions, the resource could be the current request object I guess. Check for example the request authorization middleware docs: https://book.cakephp.org/authorization/1.1/en/request-authorization-middleware.html |
| # |
Jun 30th 2019, 17:26 |
ndm |
Slacks user select box is really annoying, it should close itself after pressing TAB, which effectively selects the user :( |
| # |
Jun 30th 2019, 17:23 |
ndm |
@thomas078 Maybe... maybe not... you'd have to explain what exactly your concern is. |
| # |
Jun 30th 2019, 17:00 |
yamcomnet |
working with cakephp Folder/File utilities. Any best practice to .zip folder? |
| # |
Jun 30th 2019, 16:52 |
martin |
hmm trying to make the oauth 2 server plugin working in cakephp 3.7 is to much work. I wanted to simple use a plugin to make oauth2 on an api project, Nobody uses oauth2 anymore in cake? |
| # |
Jun 30th 2019, 15:24 |
martin |
oh now it works :) |
| # |
Jun 30th 2019, 15:19 |
martin |
I hate errors like that |
| # |
Jun 30th 2019, 15:18 |
martin |
hmm now I have an "An Internal Server Error Occurred" |
| # |
Jun 30th 2019, 15:13 |
martin |
Maybe I just need to remove the companyname from the namespace? :S |
| # |
Jun 30th 2019, 15:11 |
martin |
but I don't see namespace? |
| # |
Jun 30th 2019, 15:11 |
martin |
```| pluginname._controller:index | /Pluginname/:controller | {"action":"index","plugin":"pluginname"} ``` |
| # |
Jun 30th 2019, 15:09 |
admad |
use the routes shell to see the routes connected |
| # |
Jun 30th 2019, 15:07 |
martin |
IT says I need to create file, and set the namepace to Pluginname/ |
| # |
Jun 30th 2019, 15:06 |
martin |
also dumped the autoload |
| # |
Jun 30th 2019, 15:06 |
martin |
In composer.json namespace is correct |
| # |
Jun 30th 2019, 15:06 |
martin |
Can't I create plugins in namespace "Company/Pluginname" ? I'm fighting with routes naar controller inside plugin, but it says it can not find it. But it is there :S |
| # |
Jun 30th 2019, 14:37 |
slackebot |
permissions anywhere by using the identity stored in the request." is the right way? Do I need a Policy for a action based check? Can someone give me further informations? Which articles in which order should I read and understand. I would like to understand the overall context of the "parts" involved in authorization. Thank you. |
| # |
Jun 30th 2019, 14:37 |
st.steinkuehler |
Today I try the Authorization Plugin and I have some issues or missunderstandings on my side: I want to have an action based authorization as before with the old Auth-Component. How do I do this with the Plugin? I set up the middleware as described in the "Quickstart". I guess the "Policies" stuff is not what I want because "You can create policies for any class in your application". or? So it seems that this "You can check |
| # |
Jun 30th 2019, 14:36 |
akimov.dev |
Hello! Help me please, how can I get json body of request in beforePaginate method? |
| # |
Jun 30th 2019, 12:29 |
snake-venom |
any suggestion ? |
| # |
Jun 30th 2019, 12:29 |
snake-venom |
i am trying to save user id.. when i am sending user id = 0 then its not saving but when sending user_id = 1 then it is saving.. |
| # |
Jun 30th 2019, 12:29 |
snake-venom |
hi there.. |
| # |
Jun 30th 2019, 12:20 |
ndm |
@st.steinkuehler A custom finder maybe. Really depends on at which point the data you want to set is available, and under which circumstances it has to be set. |
| # |
Jun 30th 2019, 11:38 |
st.steinkuehler |
Is there a simpler, more direct way to change a field for the logged in user, like this? ``` $userData = $this->Authentication->getIdentity()->getOriginalData(); $userData['assignnewpwd'] = false; $updatedIdentity = new Identity($userData); $this->Authentication->setIdentity($updatedIdentity); ``` |
| # |
Jun 30th 2019, 11:35 |
challgren |
Your entities and validation rules will prevent bad data from being inserted |
| # |
Jun 30th 2019, 11:34 |
challgren |
Use the orm and request objects, never use $_POST with cake |
| # |
Jun 30th 2019, 11:33 |
wgon0001 |
Thanks for help. I will try it out. |
| # |
Jun 30th 2019, 11:23 |
challgren |
But simple way to prevent it from being inserted at all is to create a Custom Rule Object so you can reuse it. |
| # |
Jun 30th 2019, 11:22 |
slackebot |
write the contents to a PHP file and execute it, or have it written to a place where an external attacker could execute it. |
| # |
Jun 30th 2019, 11:22 |
ndm |
@wgon0001 Obfuscation via ROT13 or Base64, I haven't seen that in years. Generally you need to first properly assess a threat, just adding "security stuff" will most likely fail if you don't know how a possible attack works. As @challgren said, that code snippet alone is no threat. Ask yourself, how could someone exploit ROT13 obfuscated PHP that's embedded in a database record? Your application would have to un-ROT13 it, and either eval it, or |
| # |
Jun 30th 2019, 11:16 |
challgren |
Plus if you did get `<?php @eval($_POST[value]);?>` inserted into your database. It wouldn’t run |
| # |
Jun 30th 2019, 11:14 |
challgren |
And then if you wanted to you can write your own rule to look for that string https://book.cakephp.org/3.0/en/orm/validation.html#creating-custom-re-usable-rules |
| # |
Jun 30th 2019, 11:11 |
challgren |
https://book.cakephp.org/3.0/en/orm/saving-data.html#merging-request-data-into-entities |
| # |
Jun 30th 2019, 11:11 |
challgren |
https://book.cakephp.org/3.0/en/orm/saving-data.html#converting-request-data-into-entities |
| # |
Jun 30th 2019, 11:04 |
challgren |
https://book.cakephp.org/3.0/en/orm/query-builder.html#sql-injection-prevention |
| # |
Jun 30th 2019, 10:59 |
challgren |
By using the `$_POST` you aren’t even allowing cake to sanitize the input |
| # |
Jun 30th 2019, 10:57 |
challgren |
You know CakePHP has SLQ injection built in if used correctly |
| # |
Jun 30th 2019, 10:55 |
wgon0001 |
There are many articles and some attacker’s write-ups saying how they doing this. And I tried on yesterday it did works on my build with Cake 3.7 |
| # |
Jun 30th 2019, 10:53 |
slackebot |
https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html |