Search code examples
securitycakephpcakedc

Black-hole error when route pointed to a class that extends plugin and uses extended class

In routes I have

Router::connect('/opauth-complete/*', array('controller' => 'app_users', 'action' => 'opauth_complete'));

If I change pointer to controller app_users with anything else and create controller everything works with no error. But I need it to work with AppUsersController.

AppUsersController looks like this

App::uses('UsersController', 'Users.Controller');
class AppUsersController extends UsersController {  
    public function beforeFilter() {
        parent::beforeFilter();
        $this->User = ClassRegistry::init('AppUser');
    }
    // ...
    // ...
    public function opauth_complete() {
        die(1);
    }
    // ...
    // ...
}

So, plugin is CakeDC Users and another plugin that goes to /example/callback after /example/auth/facebook is Opauth plugin.

Error message looks like this

The request has been black-holed

Error: The requested address '/example/opauth-complete' was not found on this server.

This is perfectly possible to make these two plugins work together; when browser points to /example/auth/facebook, it redirects to /example/auth/callback and somehow it needs opauth-complete route to link to specific method.

All works if not pointed to app_users that extends plugin, uses plugin. Does not work only with this case. How can users of these two plugins get around such situation.

Solution

  • I solved it by disabling Security component on Opauth action in my AppUsersController. Thing is that Opauth transfers data using POST and you should either change a method of it (ie: use Sessions, GET) or disable Security component.

    For a method change use this in your bootstrap.php or core.php

    Configure::write('Opauth.callback_transport', 'session'); // you can try 'get' too

    To follow my approach add this to a controller where error occurs and where you place your opauth_complete method

    public function beforeFilter() {
   // ...
   if (isset($this->Security) && $this->action == 'opauth_complete') {
       $this->Security->validatePost = false;
       $this->Security->csrfCheck = false;
   }
   // ...
}

    P.S. Changing method to Sessions has its drawbacks, you can take a look at comments here at Github Opauth issue #16