I have a problem with CakePHP's security component. My site has a default get parameter for handling different languages. I have overwritten the default redirect function in my AppController so that every time a redirect or post is made, i'm appanding the language get parameter to the URL.
This all works fine and now i'm trying to implement CakePHP's Security Component. As you can imagine, the problem is that the security component blocks my attemps of trying to delete some db entries because of the get parameter: (The request has been black-holed...)
So my question is, is there any way i can use the security component with my get parameter. I'm thinking about somethink like whitelisting some get parameters.
Thanks in advance.
I finaly found a solution for my problem. I don't know if this is the best way but maybe it can still help someone... So first some clarifications: My request was been black-holed (form validation error, or a controller/action mismatch error) because i have appanded the language get parameter in my AppController after the security token was generated.
I could fix this through making some changes in CakePHP's default FormHelper located in lib/Cake/View/Helper/. In my case i just needed to add a few lines to the postLink function:
if (isset($this->request->query['lng']) && in_array($this->request->query['lng'], array('eng', 'de', 'ru')) {
$lng = Sanitize::paranoid($this->request->query['company'], array('!','\'','?','_','.',' ','-', '['));
if(is_array($url) && !isset($url['?'])){
$url['?'] = array('lng' => $lng);
}
}
$formUrl = $this->url($url);
So what i did here is:
First i have checked if a request query parameter named 'lng' is given,
then after some security checks (in_array() and Sanitize::paranoid) i just needed to add this parameter to the $url array.