Don't use it if you think it is a mess and not real security.
You can implement secure forms yourself by using field whitelists and a
csrf token. I rarely use this component and I manage with those pretty fine
On Tuesday, September 9, 2014 3:47:05 AM UTC+2, #2Will wrote:
>
> I've got an app i have been maintaining for a while now. The security
> component causes more headaches than anything else. In fact, because
> cakephp is so nice to work with, i think Security Component (SC) causes all
> the headaches...
>
> I've read through the docs a fair bit, i have bits of code scattered
> around turning off the SC all over the place, which makes me feel sick from
> 2 points of view:
>
> 1. What a mess
> 2. No SC == not great security.
>
>
> One issue is it doesn't seem to give back enough detail on EXACTLY what
> went wrong.
>
> This morning a form that has no JS has decided to blackhole even though
> i'm applying the following fugly hack to ask it to leave me alone....
>
>
> $this->Security->allowedControllers = array("people");
> if ( in_array($this->action, array('edit' , 'simport'))){
> $this->Security->validatePost = false;
> }
>
>
> I email myself every time these occur. With "details" of the error.
> Which more or less amount to $type = "auth" - which according to the docs
> means:
>
> "Indicates a form validation error, or a controller/action mismatch error."
>
> well, i / JS hasn't messed with the form (that's what form validation is
> about right?) and that is being disabled anyway, and it's showing the form
> in the action simport and posting to that action, all in the same
> controller.
>
> adding this deeply depressing line of code makes my basic form work:
> $this->Components->unload('Security');
>
> How can I get much better details of the error? How can I work with SC in
> a better way so it is generally on, not disabled around the site for
> assorted poorly understood reasons..?
>
> W
>
>
--
Like Us on FaceBook https://www.facebook.com/CakePHP
Find us on Twitter http://twitter.com/CakePHP
---
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at http://groups.google.com/group/cake-php.
For more options, visit https://groups.google.com/d/optout.