| # |
Apr 12th 2021, 20:45 |
 khalil |
Perfect thanks Kevin! |
| # |
Apr 12th 2021, 20:44 |
kevin.pfeifer |
https://github.com/cakephp/cakephp/blob/master/src/Controller/Component/SecurityComponent.php#L242 |
| # |
Apr 12th 2021, 20:44 |
kevin.pfeifer |
if you get a AuthSecurityException its this line |
| # |
Apr 12th 2021, 20:43 |
kevin.pfeifer |
if your get a BadRequestException its this line https://github.com/cakephp/cakephp/blob/master/src/Controller/Component/SecurityComponent.php#L188 |
| # |
Apr 12th 2021, 20:43 |
khalil |
Next challenge is to make it happen haha |
| # |
Apr 12th 2021, 20:43 |
khalil |
I’m setting up a local dev with a debugger |
| # |
Apr 12th 2021, 20:08 |
kevin.pfeifer |
there are only a few places where that error is being triggered. If you got a local setup and/or xdebug you could pretty easily track down what causes that error |
| # |
Apr 12th 2021, 20:05 |
greg138 |
I can't find specifics of what I'm talking about now, so I'm wondering whether I've got it wrong and that's not an explicit thing but rather a side effect of CSRF or session timeout? If you have an integrated debugger, it should be pretty easy to step through the security component's form checking to find what, specifically, is triggering the issue for you. |
| # |
Apr 12th 2021, 19:52 |
khalil |
And Kevin my form doesn’t fall under any of these criteria’s |
| # |
Apr 12th 2021, 19:51 |
khalil |
Blackhole is annoying :$ |
| # |
Apr 12th 2021, 19:51 |
khalil |
I need to read more if we can extend the time |
| # |
Apr 12th 2021, 19:50 |
khalil |
The timeout thing i mean |
| # |
Apr 12th 2021, 19:50 |
khalil |
I think what you’re saying makes sense, but it’s really annoying |
| # |
Apr 12th 2021, 19:50 |
khalil |
Thanks for the feedback guys! |
| # |
Apr 12th 2021, 17:05 |
greg138 |
I need to spend some time wrapping my head around what forms it might be okay to skip that check, and where it's not, to replace the unfriendly black-hole message with something about a timeout and maybe regenerate the form with the data preserved. |
| # |
Apr 12th 2021, 17:03 |
greg138 |
I haven't come to a good conclusion on how best to handle that situation yet myself. :( |
| # |
Apr 12th 2021, 17:03 |
greg138 |
If I could witness your profile edit form, I could re-send it but with my own password or email address. |
| # |
Apr 12th 2021, 17:03 |
kevin.pfeifer |
"betterr" => easier |
| # |
Apr 12th 2021, 17:03 |
kevin.pfeifer |
so basicall it would be better to just show a notice after X minutes to just refresh instead of trying to fix the onscreen form :) |
| # |
Apr 12th 2021, 17:02 |
kevin.pfeifer |
ah ok |
| # |
Apr 12th 2021, 17:02 |
greg138 |
i.e. re-using the token, etc. to make the form appear legitimate to the rest of the form security. |
| # |
Apr 12th 2021, 17:01 |
greg138 |
It's not a super robust replay prevention scheme. It just assumes that any form submitted more than X minutes after it was generated is probably not from a real user, but someone replaying form contents they somehow captured earlier (but with different values to benefit themselves). |
| # |
Apr 12th 2021, 17:00 |
kevin.pfeifer |
well how does it check if its a replay attack then :thinking_face: |
| # |
Apr 12th 2021, 16:52 |
greg138 |
There's also a timeout in there, to avoid replay attacks. Not sure where that's covered in the docs. |
| # |
Apr 12th 2021, 16:49 |
kevin.pfeifer |
seems like your form falls into one of these conditions • Unknown fields cannot be added to the form. • Fields cannot be removed from the form. • Values in hidden inputs cannot be modified. https://book.cakephp.org/4/en/controllers/components/security.html#form-tampering-prevention |
| # |
Apr 12th 2021, 16:12 |
greg138 |
This isn't CSRF, it's the form security component. |
| # |
Apr 12th 2021, 14:01 |
kevin.pfeifer |
either `mysqldump` via SSH or export the database via e.g. PHPMyAdmin |
| # |
Apr 12th 2021, 12:42 |
nayakvradhit |
Now my concern is It possible to copy db from old server to new server for this db? |
| # |
Apr 12th 2021, 12:41 |
nayakvradhit |
I have resolved it by granting privileges to the user and after that i got unknown db called dbname and I have created db and now that issue also gine |
| # |
Apr 12th 2021, 12:40 |
nayakvradhit |
Hi Kevin, |
| # |
Apr 12th 2021, 11:56 |
neon1024 |
I can work with that for now |
| # |
Apr 12th 2021, 11:56 |
neon1024 |
Hehe, now I get a file `LOGSerror.log` :) |
| # |
Apr 12th 2021, 11:42 |
neon1024 |
Oh it’s the same, I shall go look |
| # |
Apr 12th 2021, 11:42 |
neon1024 |
Sorry that didn’t work. You linked `master` perhaps it’s different for 3.x :) |
| # |
Apr 12th 2021, 11:20 |
neon1024 |
Ahh, nice, thanks @admad |
| # |
Apr 12th 2021, 11:19 |
admad |
https://github.com/cakephp/cakephp/blob/master/src/Core/StaticConfigTrait.php#L191 |
| # |
Apr 12th 2021, 10:57 |
neon1024 |
Just whilst I am on a roll. I would like to log to file for my local env. I used `export LOG_ERROR_URL="file://logs?levels[]=warningandlevels[]=errorandlevels[]=criticalandlevels[]=alertandlevels[]=emergencyandfile=error"` but for some reason the log files are written to the root of my project instead of to `/logs` what have I missed from my DSN? |
| # |
Apr 12th 2021, 10:47 |
neon1024 |
Seems it does! Must be some secret __call in the entity trait :thinking_face: |
| # |
Apr 12th 2021, 10:45 |
neon1024 |
Just wondering if there is some secret magic in the background |
| # |
Apr 12th 2021, 10:45 |
neon1024 |
Just a quick question. In Cake 3 accessing an entity property directly such as. `$example->thing` does that still use the `_getThing()` accessor method, or do I have to use `$example->get('thing')` ? |
| # |
Apr 12th 2021, 09:56 |
me1367 |
That'll make it executable so that you don't have to run `php bin/cake` |