I was able to solve the first question myself: In my controller actions I allways check if(this->data) before saving or editing a record. If variables are passed via get (harmfull link for example), $this- >data is empty and nothing harmfull can happen. In other words, without using post method its not possible to add or edit a record. Hence, security->requirePost just seems to be neccessary for the delete actions.
Still, do I have to replace all delete links with small forms which contain the authentication token? On Aug 11, 5:54 pm, Özgür Demir <[email protected]> wrote: > Hi every body, > > I'm pretty sure this must have been answered somewhere. However I > wasn't able to find an answer yet. I have two question regarding the > security component. > > 1. Authentification tokens seem to be checked by the security > component only if data is passed via post. I assume this since my > delete action is performed through a delete link even if the action is > protected by the security component. This makes the security component > useless for CSRF without the use of security->requirePost(). Am I > right with this? > > 2. Its obvious that my "add/edit" links are not working if using > requirePost('add','edit'), I could solve this by adding > requirePost('add','edit') only if data is submitted by the user like > this: > > in beforeFilter > if(this->data){ > security->requirePots('add,'edit') > > } > > But how do I handle the delete links? Do I have to replace all of them > with small forms which contain the authentication token? > > Thanks for your help... -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/cake-php
