Search code examples
securityjquerycakephpsimplemodalcakephp-2.2

cakePHP 2.2: CFSR Security Component with Ajax loaded Views and Elements

I'm trying to get CakePHP's Security Component for CSFR Protection working with AJAX.
I have my ArtistsDates-Controller (to save all the dates of shows an Artist/DJ has), which contains an addedit() - view.

This view is loaded via jQuery AJAX into a jQuery Modalbox. (SimpleModal)

 function artist_dates(request){
   .
   .
    if(request == 'load'){
        $.ajax({
            type: 'post',
            url: $('base').attr('href') + '/artist_dates/addedit/'+artist_id,
            success: function(html){

                $('#dialog').html(html);
                $('#dialog').modal({
                    modal: false,
                    maxHeight:'500px',
                    minHeight:500,
                    minWidth:750,
                });
            }
        });
    }
   .
   .
 }

In this View, my Form is rendered as addedit_daterow_form - Element. This element is either called with data or in "NEW"-Mode. If data is provided, the element displays the data and contains a hidden-edit form. If its called in "NEW"-Mode, it returns an empty Form. So, this element is rendered for every datarow in the ArtistDate - Model (+1 more for adding a new one!)

(here's a screenshot of the view: https://i.sstatic.net/Ye10v.png)

Security-Component is included in the ArtistDatesController. Unfortunately $this->Form->request->params neither contains the [_Token] in the addedit- view nor in the addedit_daterow_form- element - do I have to change something in my jQuery-AJAX-Function?

-- EDIT 1: This is how my Form-Code looks like: 

<?php echo $this->Form->create('ArtistDate', array('controller' => 'artist_dates','action' => 'addedit', 'id' => 'artistDateForm_'.$date_nr)); ?>
        <?php echo pr($this->Form->request->params); ?>
        <?php echo $this->Form->input('ArtistDate.'.$date_nr.'.id',array('type' => 'hidden', 'value' => $date['ArtistDate']['id'])); ?>
        <?php echo $this->Form->input('ArtistDate.'.$date_nr.'.artist_id',array('type' => 'hidden', 'value' => $date['ArtistDate']['artist_id'])); ?>

        <div class="date">
            <?php echo $this->Form->input('ArtistDate.'.$date_nr.'.date', array('type' => 'text','label' => 'Date <span style="font-weight:normal; float:right;">[DD.MM.YYYY]</span>','value' => (!empty($date['ArtistDate']['date']) ? date('d.m.Y',strtotime($date['ArtistDate']['date'])) : ''))); ?>
            <?php echo $this->Form->input('ArtistDate.'.$date_nr.'.date_end', array('type' => 'text','label' => 'Enddate <span style="font-weight:normal; float:right;">[DD.MM.YYYY]</span>','value' =>(!empty($date['ArtistDate']['date_end']) ? date('d.m.Y',strtotime($date['ArtistDate']['date_end'])) : ''))); ?>
        </div>
        <div class="venue">
            <?php echo $this->Form->input('ArtistDate.'.$date_nr.'.venue', array('type' => 'text','value' => $date['ArtistDate']['venue'])); ?>
            <?php echo $this->Form->input('ArtistDate.'.$date_nr.'.city', array('type' => 'text','value' => $date['ArtistDate']['city'])); ?>
        </div>
        <div class="link">
            <?php echo $this->Form->input('ArtistDate.'.$date_nr.'.venuelink', array('type' => 'text','label' => 'Link <span style="font-weight:normal; float:right;">Venue</span>','value' => $date['ArtistDate']['venuelink'])); ?>
            <?php echo $this->Form->input('ArtistDate.'.$date_nr.'.ticketslink', array('type' => 'text','label' => 'Link <span style="font-weight:normal; float:right;">Tickets</span>','value' => $date['ArtistDate']['ticketslink'])); ?>
        </div>
        <div class="actions">
            <?php echo $this->Html->link('','',array('class' => 'buttonsave','onclick' => "artistdate_handling('".$date_nr."','save'); return false;", 'style' => $display_exists, 'escape' => false, 'title' => 'Save')); ?>               
            <?php echo $this->Html->link('','',array('class' => $approveclass, 'onclick' => "artistdate_handling('".$date_nr."','confirm'); return false;", 'style' => $display_exists, 'escape' => false, 'title' => 'Confirm Show')); ?>
            <?php echo $this->Html->link('','',array('class' => 'buttondelete','onclick' => "artistdate_handling('".$date_nr."','delete'); return false;", 'style' => $display_exists, 'escape' => false, 'title' => 'Delete Show')); ?>
            <?php echo $this->Html->link('','',array('class' => 'buttonadd','onclick' => "artistdate_handling('".$date_nr."','add'); return false;", 'style' => $display_new, 'escape' => false, 'title' => 'Add Show')); ?>
        </div>
        <div style="clear:both"></div>
    <?php echo $this->Form->end(); ?>

Thanks a lot in advance!

Solution

  • Figured out a way how it works.
    Using

     $.ajax({
    type: 'get'
 .
 .
 });

    returns a form containing the token.