# |
Apr 12th 2021, 19:50 |
khalil |
The timeout thing i mean |
# |
Apr 12th 2021, 19:50 |
khalil |
I think what you’re saying makes sense, but it’s really annoying |
# |
Apr 12th 2021, 19:50 |
khalil |
Thanks for the feedback guys! |
# |
Apr 12th 2021, 17:05 |
greg138 |
I need to spend some time wrapping my head around what forms it might be okay to skip that check, and where it's not, to replace the unfriendly black-hole message with something about a timeout and maybe regenerate the form with the data preserved. |
# |
Apr 12th 2021, 17:03 |
greg138 |
I haven't come to a good conclusion on how best to handle that situation yet myself. :( |
# |
Apr 12th 2021, 17:03 |
greg138 |
If I could witness your profile edit form, I could re-send it but with my own password or email address. |
# |
Apr 12th 2021, 17:03 |
kevin.pfeifer |
"betterr" => easier |
# |
Apr 12th 2021, 17:03 |
kevin.pfeifer |
so basicall it would be better to just show a notice after X minutes to just refresh instead of trying to fix the onscreen form :) |
# |
Apr 12th 2021, 17:02 |
kevin.pfeifer |
ah ok |
# |
Apr 12th 2021, 17:02 |
greg138 |
i.e. re-using the token, etc. to make the form appear legitimate to the rest of the form security. |
# |
Apr 12th 2021, 17:01 |
greg138 |
It's not a super robust replay prevention scheme. It just assumes that any form submitted more than X minutes after it was generated is probably not from a real user, but someone replaying form contents they somehow captured earlier (but with different values to benefit themselves). |
# |
Apr 12th 2021, 17:00 |
kevin.pfeifer |
well how does it check if its a replay attack then :thinking_face: |
# |
Apr 12th 2021, 16:52 |
greg138 |
There's also a timeout in there, to avoid replay attacks. Not sure where that's covered in the docs. |
# |
Apr 12th 2021, 16:49 |
kevin.pfeifer |
seems like your form falls into one of these conditions • Unknown fields cannot be added to the form. • Fields cannot be removed from the form. • Values in hidden inputs cannot be modified. https://book.cakephp.org/4/en/controllers/components/security.html#form-tampering-prevention |
# |
Apr 12th 2021, 16:12 |
greg138 |
This isn't CSRF, it's the form security component. |
# |
Apr 12th 2021, 14:01 |
kevin.pfeifer |
either `mysqldump` via SSH or export the database via e.g. PHPMyAdmin |
# |
Apr 12th 2021, 12:42 |
nayakvradhit |
Now my concern is It possible to copy db from old server to new server for this db? |
# |
Apr 12th 2021, 12:41 |
nayakvradhit |
I have resolved it by granting privileges to the user and after that i got unknown db called dbname and I have created db and now that issue also gine |
# |
Apr 12th 2021, 12:40 |
nayakvradhit |
Hi Kevin, |
# |
Apr 12th 2021, 11:56 |
neon1024 |
I can work with that for now |
# |
Apr 12th 2021, 11:56 |
neon1024 |
Hehe, now I get a file `LOGSerror.log` :) |
# |
Apr 12th 2021, 11:42 |
neon1024 |
Oh it’s the same, I shall go look |
# |
Apr 12th 2021, 11:42 |
neon1024 |
Sorry that didn’t work. You linked `master` perhaps it’s different for 3.x :) |
# |
Apr 12th 2021, 11:20 |
neon1024 |
Ahh, nice, thanks @admad |
# |
Apr 12th 2021, 11:19 |
admad |
https://github.com/cakephp/cakephp/blob/master/src/Core/StaticConfigTrait.php#L191 |
# |
Apr 12th 2021, 10:57 |
neon1024 |
Just whilst I am on a roll. I would like to log to file for my local env. I used `export LOG_ERROR_URL="file://logs?levels[]=warningandlevels[]=errorandlevels[]=criticalandlevels[]=alertandlevels[]=emergencyandfile=error"` but for some reason the log files are written to the root of my project instead of to `/logs` what have I missed from my DSN? |
# |
Apr 12th 2021, 10:47 |
neon1024 |
Seems it does! Must be some secret __call in the entity trait :thinking_face: |
# |
Apr 12th 2021, 10:45 |
neon1024 |
Just wondering if there is some secret magic in the background |
# |
Apr 12th 2021, 10:45 |
neon1024 |
Just a quick question. In Cake 3 accessing an entity property directly such as. `$example->thing` does that still use the `_getThing()` accessor method, or do I have to use `$example->get('thing')` ? |
# |
Apr 12th 2021, 09:56 |
me1367 |
That'll make it executable so that you don't have to run `php bin/cake` |
# |
Apr 12th 2021, 09:55 |
me1367 |
`chmod +x bin/cake.php` |
# |
Apr 12th 2021, 02:48 |
hmic |
@noel |
# |
Apr 12th 2021, 02:48 |
hmic |
try "php bin/cake.php" |
# |
Apr 12th 2021, 00:00 |
noel |
yes: zsh: permission denied |
# |
Apr 11th 2021, 23:31 |
khalil |
No I get request has been blackholed |
# |
Apr 11th 2021, 23:26 |
kevin.pfeifer |
does `bin/cake.php` show something? |
# |
Apr 11th 2021, 23:02 |
noel |
I’m getting no terminal output nor errors when I run `bin/cake` and nothing in the CLI logs. Any ideas? |
# |
Apr 11th 2021, 17:00 |
noel |
@admad it’s not stateless no. It’s a stateful REST, so we can handle things like permissions by knowing who the session user is. |
# |
Apr 11th 2021, 16:56 |
cnizzardini |
Store JWT in session and pass JWT to API. CakePHP supports this. |
# |
Apr 11th 2021, 16:46 |
cnizzardini |
Should consider JWT, but I replied to the original message. Set request accepts header. |
# |
Apr 11th 2021, 16:36 |
admad |
There are stateless authenticators :) |