How do I get (external) data into CakePHP with Security on?

Question

I'm implementing the Rabo OmniKassa (which is a bit like Paypal) into a CakePHP application. I've read the Rabo manual, I tested it on an 'empty' project (without Security) and it all worked perfectly.

Now I'm implementing it in the actual application, and there are some problems with the data the Rabo OmniKassa sends back to my application -- which are caused by the Security component.

The Security component blocks the POST data the RaboKassa sends me, because it might be a threat to the application (external server inserting data etc...). It's returning a black hole.

When I just load the page without the redirect from the RaboKassa, it obviously loads, but since it has no POST data, it doesn't really do anything.

I've tried quite a few options I found on the internet like

$this->Components->disable('Security');

and

$this->Security->csrfCheck = false;

and

$this->Security->unlockedActions = array(
        'kassareturn' // which is the function the RaboKassa has to return to
    );

but none of them seem to work.

I can't seem to solve this problem, so is there anyone who's tried this or something similar before?

I can't alter the RaboKassa, so I have to receive the POST data...

I'm using CakePHP 2.1.3.

Answer 1

I'd recommend to always check the official docs first before you start trying stuff you find somewhere on the internet.

POST data validation needs to be disabled too

Besides the CSRF check there's also POST data validation. When receiving POST data from external sources you'll have to disable both checks.

$this->Security->csrfCheck = false;
$this->Security->validatePost = false;

And don't forget to make sure that you're disabling this only for your specific action!

public function beforeFilter() {
    parent::beforeFilter();

    if($this->request->params['action'] === 'kassareturn') {
        $this->Security->csrfCheck = false;
        $this->Security->validatePost = false;
    }
}

See also

• http://book.cakephp.org/.../core-libraries/components/security-component.html#usage
• http://book.cakephp.org/.../security-component.html#SecurityComponent::$csrfCheck
• http://book.cakephp.org/.../security-component.html#SecurityComponent::$validatePost

SecurityComponent::$unlockedActions as of CakePHP 2.3

I think you'll notice that using SecurityComponent::$unlockedActions will magically start working once you've updated your CakePHP installation to at least 2.3.x, as this feature is only available as of CakePHP 2.3

See also http://book.cakephp.org/...disabling-csrf-and-post-data-validation-for-specific-actions