The Security Component creates an easy way to integrate tighter security in your application. It provides methods for various tasks like:
_authRequired( Controller $controller )
Check if authentication is required
Controller
$controller
boolean|null
_callback( Controller $controller , string $method , array $params array() )
Calls a controller callback method
Controller
$controller
$method
$params
optional array() mixed
BadRequestException
_expireTokens( array $tokens )
Expire CSRF nonces and remove them from the valid tokens. Uses a simple timeout to expire the tokens.
$tokens
array
_methodsRequired( Controller $controller )
Check if HTTP methods are required
Controller
$controller
boolean
_requireMethod( string $method , array $actions array() )
Sets the actions that require a $method HTTP request, or empty for all actions
$method
$actions
optional array() _secureRequired( Controller $controller )
Check if access requires secure connection
Controller
$controller
boolean
_validateCsrf( Controller $controller )
Validate that the controller has a CSRF token in the POST data and that the token is legit/not expired. If the token is valid it will be removed from the list of valid tokens.
Controller
$controller
boolean
_validatePost( Controller $controller )
Validate submitted form
Controller
$controller
boolean
blackHole( Controller $controller , string $error '' )
Black-hole an invalid request with a 400 error or custom callback. If SecurityComponent::$blackHoleCallback is specified, it will use this callback by executing the method indicated in $error
Controller
$controller
$error
optional '' mixed
BadRequestException
SecurityComponent::$blackHoleCallback
generateToken( CakeRequest $request )
Manually add CSRF token information into the provided request object.
CakeRequest
$request
boolean
requireAuth( )
Sets the actions that require whitelisted form submissions.
Adding actions with this method will enforce the restrictions set in SecurityComponent::$allowedControllers and SecurityComponent::$allowedActions.
requireDelete( )
Sets the actions that require a DELETE request, or empty for all actions
requireGet( )
Sets the actions that require a GET request, or empty for all actions
requirePost( )
Sets the actions that require a POST request, or empty for all actions
requirePut( )
Sets the actions that require a PUT request, or empty for all actions
requireSecure( )
Sets the actions that require a request that is SSL-secured, or empty for all actions
startup( Controller $controller )
Component startup. All security checking happens here.
Controller
$controller
Component::startup()
__construct( ComponentCollection $collection , array $settings array() )
Constructor
ComponentCollection
$collection
$settings
optional array() Object::__construct()
__get( string $name )
Magic method for lazy loading $components.
$name
mixed
beforeRedirect( Controller $controller , string|array $url , integer $status null , boolean $exit true )
Called before Controller::redirect(). Allows you to replace the URL that will be redirected to with a new URL. The return of this method can either be an array or a string.
If the return is an array and contains a 'url' key. You may also supply the following:
status
The status code for the redirectexit
Whether or not the redirect should exit.If your response is a string or an array that does not contain a 'url' key it will be used as the new URL to redirect to.
Controller
$controller
$url
$status
optional null $exit
optional true array|null
beforeRender( Controller $controller )
Called before the Controller::beforeRender(), and before the view class is loaded, and before Controller::render()
Controller
$controller
initialize( Controller $controller )
Called before the Controller::beforeFilter().
Controller
$controller
shutdown( Controller $controller )
Called after Controller::render() and before the output is printed to the browser.
Controller
$controller
_mergeVars( array $properties , string $class , boolean $normalize true )
Merges this objects $property with the property in $class' definition. This classes value for the property will be merged on top of $class'
This provides some of the DRY magic CakePHP provides. If you want to shut it off, redefine this method as an empty function.
$properties
$class
$normalize
optional true _set( array $properties array() )
Allows setting of multiple properties of the object in a single line of code. Will only set properties that are part of a class declaration.
$properties
optional array() _stop( integer|string $status 0 )
Stop execution of the current script. Wraps exit() making testing easier.
$status
optional 0 dispatchMethod( string $method , array $params array() )
Calls a method on this object with the given parameters. Provides an OO wrapper for call_user_func_array
$method
$params
optional array() mixed
log( string $msg , integer $type LOG_ERR , null|string|array $scope null )
Convenience method to write a message to CakeLog. See CakeLog::write() for more information on writing to logs.
$msg
$type
optional LOG_ERR $scope
optional null boolean
requestAction( string|array $url , array $extra array() )
Calls a controller's method from any location. Can be used to connect controllers together or tie plugins into a main application. requestAction can be used to return rendered views or fetch the return value from controller actions.
Under the hood this method uses Router::reverse() to convert the $url parameter into a string URL. You should use URL formats that are compatible with Router::reverse()
POST and GET data can be simulated in requestAction. Use $extra['url']
for GET data. The $extra['data']
parameter allows POST data simulation.
$url
$extra
optional array() mixed
toString( )
Object-to-string conversion. Each class can override this method as necessary.
string
protected ComponentCollection
Component collection class used to lazy load components.
protected array
A component lookup table used to lazy load component objects.
array()
© 2005–2016 The Cake Software Foundation, Inc.
Licensed under the MIT License.
CakePHP is a registered trademark of Cake Software Foundation, Inc.
We are not endorsed by or affiliated with CakePHP.
http://api.cakephp.org/2.7/class-SecurityComponent.html