public function getUser(CakeRequest $request) { if ($request->is('post') && isset($request->data['password'])) { $password = $request->data['password']; if ($this->checkPassword($password)) { return array('loggedin' => true); } else { throw new ForbiddenException(__('Wrong Password')); } } return false; }
/** * Determines the content type of the data the client has sent (i.e. in a POST request) * * @param mixed $type Can be null (or no parameter), a string type name, or an array of types * @return mixed If a single type is supplied a boolean will be returned. If no type is provided * The mapped value of CONTENT_TYPE will be returned. If an array is supplied the first type * in the request content type will be returned. */ public function requestedWith($type = null) { if (!$this->request->is('post') && !$this->request->is('put')) { return null; } list($contentType) = explode(';', env('CONTENT_TYPE')); if ($type == null) { return $this->mapType($contentType); } elseif (is_array($type)) { foreach ($type as $t) { if ($this->requestedWith($t)) { return $t; } } return false; } elseif (is_string($type)) { return $type == $this->mapType($contentType); } }
/** * Ensures that the current request is validated for Authentication * * @return void */ protected function configureApiAccess() { if (isset($this->settings['auth']) && !$this->settings['auth']) { return true; } if ($this->hasError()) { return; } // Do not require authentication if the request isn't considered API if (!$this->request->is('api')) { return; } // If its a public action, do not enforce API security checks if (in_array($this->controller->action, $this->publicActions)) { return; } // If the user has a isAuthorizedApi method, call it and don't check anything else if (method_exists($this->controller, 'isAuthorizedApi')) { if (!$this->controller->isAuthorizedApi()) { throw new ForbiddenException('Permission denied'); } return; } // Do not enforce authentication if the request is already authenticated if ($this->controller->Auth && $this->controller->Auth->user()) { return; } // Get the access token, if any $token = ApiUtility::getRequestToken($this->request); // Deny access if no AccessToken is provided if (empty($token)) { throw new ForbiddenException('Permission denied, missing access token'); } // Deny access if the AccessToken isn't valid if (!$this->controller->Auth->login()) { throw new ForbiddenException('Permission denied, invalid access token'); } }
/** * Generic delete action * * Triggers the following callbacks * - beforeFind * - recordNotFound * - beforeDelete * - afterDelete * * @param string $id * @return void */ protected function _deleteAction($id = null) { if (empty($id)) { $id = $this->getIdFromRequest(); } $this->_validateId($id); if (!$this->_request->is('delete') && !($this->_request->is('post') && false === $this->config('secureDelete'))) { $subject = $this->_getSubject(compact('id')); $this->_setFlash('invalid_http_request.error'); return $this->_redirect($subject, $this->_controller->referer(array('action' => 'index'))); } $query = array(); $query['conditions'] = array($this->_model->escapeField() => $id); $findMethod = $this->_getFindMethod(null, 'count'); $subject = $this->trigger('beforeFind', compact('id', 'query', 'findMethod')); $query = $subject->query; $count = $this->_model->find($subject->findMethod, $query); if (empty($count)) { $subject = $this->trigger('recordNotFound', compact('id')); $this->_setFlash('find.error'); return $this->_redirect($subject, $this->_controller->referer(array('action' => 'index'))); } $subject = $this->trigger('beforeDelete', compact('id')); if ($subject->stopped) { $this->_setFlash('delete.error'); return $this->_redirect($subject, $this->_controller->referer(array('action' => 'index'))); } if ($this->_model->delete($id)) { $this->_setFlash('delete.success'); $subject = $this->trigger('afterDelete', array('id' => $id, 'success' => true)); } else { $this->_setFlash('delete.error'); $subject = $this->trigger('afterDelete', array('id' => $id, 'success' => false)); } return $this->_redirect($subject, $this->_controller->referer(array('action' => 'index'))); }
/** * Check if access requires secure connection * * @param Controller $controller Instantiating controller * @return bool True if secure connection required */ protected function _secureRequired(Controller $controller) { if (is_array($this->requireSecure) && !empty($this->requireSecure)) { $requireSecure = $this->requireSecure; if (in_array($this->_action, $requireSecure) || $this->requireSecure === array('*')) { if (!$this->request->is('ssl')) { if (!$this->blackHole($controller, 'secure')) { return false; } } } } return true; }
/** * Test is('requested') and isRequested() * * @return void */ public function testIsRequested() { $request = new CakeRequest('/posts/index'); $request->addParams(array('controller' => 'posts', 'action' => 'index', 'plugin' => null, 'requested' => 1)); $this->assertTrue($request->is('requested')); $this->assertTrue($request->isRequested()); $request = new CakeRequest('/posts/index'); $request->addParams(array('controller' => 'posts', 'action' => 'index', 'plugin' => null)); $this->assertFalse($request->is('requested')); $this->assertFalse($request->isRequested()); }
/** * Performs a delete on given scaffolded Model. * * @param CakeRequest $request Request for scaffolding * @return mixed Success on delete, error if delete fails * @throws MethodNotAllowedException When HTTP method is not a DELETE * @throws NotFoundException When id being deleted does not exist. */ protected function _scaffoldDelete(CakeRequest $request) { if ($this->controller->beforeScaffold('delete')) { if (!$request->is('post')) { throw new MethodNotAllowedException(); } $id = false; if (isset($request->params['pass'][0])) { $id = $request->params['pass'][0]; } $this->ScaffoldModel->id = $id; if (!$this->ScaffoldModel->exists()) { throw new NotFoundException(__d('cake', 'Invalid %s', Inflector::humanize($this->modelClass))); } if ($this->ScaffoldModel->delete()) { $message = __d('cake', 'The %1$s with id: %2$s has been deleted.', Inflector::humanize($this->modelClass), $id); return $this->_sendMessage($message); } else { $message = __d('cake', 'There was an error deleting the %1$s with id: %2$s', Inflector::humanize($this->modelClass), $id ); return $this->_sendMessage($message); } } elseif ($this->controller->scaffoldError('delete') === false) { return $this->_scaffoldError(); } }
public function isLoginDataAvailable(CakeRequest $request) { return $request->is('post'); }
/** * Setup access for origin and methods on cross origin requests * * This method allow multiple ways to setup the domains, see the examples * * ### Full URI * e.g `cors($request, 'http://www.cakephp.org');` * * ### URI with wildcard * e.g `cors($request, 'http://*.cakephp.org');` * * ### Ignoring the requested protocol * e.g `cors($request, 'www.cakephp.org');` * * ### Any URI * e.g `cors($request, '*');` * * ### Whitelist of URIs * e.g `cors($request, array('http://www.cakephp.org', '*.google.com', 'https://myproject.github.io'));` * * @param CakeRequest $request Request object * @param string|array $allowedDomains List of allowed domains, see method description for more details * @param string|array $allowedMethods List of HTTP verbs allowed * @param string|array $allowedHeaders List of HTTP headers allowed * @return void */ public function cors(CakeRequest $request, $allowedDomains, $allowedMethods = array(), $allowedHeaders = array()) { $origin = $request->header('Origin'); if (!$origin) { return; } $allowedDomains = $this->_normalizeCorsDomains((array) $allowedDomains, $request->is('ssl')); foreach ($allowedDomains as $domain) { if (!preg_match($domain['preg'], $origin)) { continue; } $this->header('Access-Control-Allow-Origin', $domain['original'] === '*' ? '*' : $origin); $allowedMethods && $this->header('Access-Control-Allow-Methods', implode(', ', (array) $allowedMethods)); $allowedHeaders && $this->header('Access-Control-Allow-Headers', implode(', ', (array) $allowedHeaders)); break; } }
/** * test adding detectors and having them work. * * @return void */ function testAddDetector() { $request = new CakeRequest('some/path'); $request->addDetector('compare', array('env' => 'TEST_VAR', 'value' => 'something')); $_SERVER['TEST_VAR'] = 'something'; $this->assertTrue($request->is('compare'), 'Value match failed.'); $_SERVER['TEST_VAR'] = 'wrong'; $this->assertFalse($request->is('compare'), 'Value mis-match failed.'); $request->addDetector('banana', array('env' => 'TEST_VAR', 'pattern' => '/^ban.*$/')); $_SERVER['TEST_VAR'] = 'banana'; $this->assertTrue($request->isBanana()); $_SERVER['TEST_VAR'] = 'wrong value'; $this->assertFalse($request->isBanana()); $request->addDetector('mobile', array('options' => array('Imagination'))); $_SERVER['HTTP_USER_AGENT'] = 'Imagination land'; $this->assertTrue($request->isMobile()); $_SERVER['HTTP_USER_AGENT'] = 'iPhone 3.0'; $this->assertTrue($request->isMobile()); $request->addDetector('callme', array('env' => 'TEST_VAR', 'callback' => array($this, '_detectCallback'))); $request->return = true; $this->assertTrue($request->isCallMe()); $request->return = false; $this->assertFalse($request->isCallMe()); }
/** * check request request authorization * */ public function authorize($user, CakeRequest $request) { // Admin role is allowed to perform all actions, bypassing ACL if ($this->_isAdmin($user)) { return true; } $allowed = false; $Acl = $this->_Collection->load('Acl'); list($plugin, $userModel) = pluginSplit($this->settings['userModel']); $path = '/:plugin/:controller/:action'; if ($request->is('api')) { $path = '/:prefix' . $path; } $action = $this->action($request, $path); $cacheName = 'permissions_' . strval($user['id']); if (($permissions = Cache::read($cacheName, 'permissions')) === false) { $permissions = array(); Cache::write($cacheName, $permissions, 'permissions'); } if (!isset($permissions[$action])) { $User = ClassRegistry::init($this->settings['userModel']); $User->id = $user['id']; $allowed = $Acl->check($User, $action); $permissions[$action] = $allowed; Cache::write($cacheName, $permissions, 'permissions'); $hit = false; } else { $allowed = $permissions[$action]; $hit = true; } if (Configure::read('debug')) { $status = $allowed ? ' allowed.' : ' denied.'; $cached = $hit ? ' (cache hit)' : ' (cache miss)'; CakeLog::write(LOG_ERR, $user['username'] . ' - ' . $action . $status . $cached); } if (!$allowed) { return false; } if (!Configure::read('Access Control.rowLevel')) { return $allowed; } // bail out when controller's primary model does not want row level acl $controller = $this->controller(); $model = $controller->modelClass; $Model = $controller->{$model}; if ($Model && !$Model->Behaviors->attached('RowLevelAcl')) { return $allowed; } $primaryKey = $Model->primaryKey; $ids = array(); if ($request->is('get') && !empty($request->params['pass'][0])) { // collect id from actions such as: Nodes/admin_edit/1 $ids[] = $request->params['pass'][0]; } elseif (($request->is('post') || $request->is('put')) && isset($request->data[$model]['action'])) { // collect ids from 'bulk' processing action such as: Nodes/admin_process foreach ($request->data[$model] as $id => $flag) { if (isset($flag[$primaryKey]) && $flag[$primaryKey] == 1) { $ids[] = $id; } } } foreach ($ids as $id) { if (is_numeric($id)) { try { $allowed = $this->_authorizeByContent($user, $request, $id); } catch (CakeException $e) { $allowed = false; } } else { continue; } if (!$allowed) { break; } } return $allowed; }
/** * Returns true if the current call a DELETE request * * @return boolean True if call is a DELETE * @deprecated Use $this->request->is('delete'); from your controller. */ public function isDelete() { return $this->request->is('delete'); }
/** * Check if access requires secure connection * * @param object $controller Instantiating controller * @return bool true if secure connection required */ protected function _secureRequired($controller) { if (is_array($this->requireSecure) && !empty($this->requireSecure)) { $requireSecure = array_map('strtolower', $this->requireSecure); if (in_array($this->_action, $requireSecure) || $this->requireSecure == array('*')) { if (!$this->request->is('ssl')) { if (!$this->blackHole($controller, 'secure')) { return null; } } } } return true; }
/** * Authenticate a user based on the request information * * @see BaseAuthenticate::authenticate() */ public function authenticate(CakeRequest $request, CakeResponse $response) { if (!empty($request->data) || $request->is('post')) { return false; } return $this->getUser($request); }
/** * add 4 standard request method detectors for ajax calls * add 4 standard request method detectors for nonajax calls * * @param $request CakeRequest. This will be passed by reference * @return CakeRequest. Just in case caller did not know that the CakeRequest object was passed by reference */ public function addAjaxMethodDetectorsTo(CakeRequest $request) { // the 4 method detectors for ajax calls $request->addDetector('ajax_get', array('callback' => function ($request) { return $request->is('ajax') && $request->is('get'); })); $request->addDetector('ajax_post', array('callback' => function ($request) { return $request->is('ajax') && $request->is('post'); })); $request->addDetector('ajax_put', array('callback' => function ($request) { return $request->is('ajax') && $request->is('put'); })); $request->addDetector('ajax_delete', array('callback' => function ($request) { return $request->is('ajax') && $request->is('delete'); })); // the 4 method detectors for NON-ajax calls $request->addDetector('nonajax_get', array('callback' => function ($request) { return !$request->is('ajax') && $request->is('get'); })); $request->addDetector('nonajax_post', array('callback' => function ($request) { return !$request->is('ajax') && $request->is('post'); })); $request->addDetector('nonajax_put', array('callback' => function ($request) { return !$request->is('ajax') && $request->is('put'); })); $request->addDetector('nonajax_delete', array('callback' => function ($request) { return !$request->is('ajax') && $request->is('delete'); })); return $request; }
/** * Performs a delete on given scaffolded Model. * * @param CakeRequest $request Request for scaffolding * @return mixed Success on delete, error if delete fails * @throws MethodNotAllowedException When HTTP method is not a DELETE * @throws NotFoundException When id being deleted does not exist. */ protected function _scaffoldDelete(CakeRequest $request) { if ($this->controller->beforeScaffold('delete')) { $modelClass = $this->controller->modelClass; if (!$request->is('post')) { throw new MethodNotAllowedException(); } $id = false; if (isset($request->params['pass'][0])) { $id = $request->params['pass'][0]; } $this->ScaffoldModel->id = $id; if (!$this->ScaffoldModel->exists()) { throw new NotFoundException(__d('cake', '%s inválido', Inflector::humanize($this->modelClass))); } $deleteID = $this->ScaffoldModel->id; if ($deleteID) { $tableFields = $this->ScaffoldModel->_schema; foreach ($tableFields as $key => $val) { if (subStr($key, -5) == '_file' || subStr($key, -10) == '_th_hidden') { $thisRecord = $this->ScaffoldModel->find('all', array('conditions' => array($modelClass . '.id' => $id))); if (file_exists($thisRecord[0][$modelClass][$key])) { if (!unlink($thisRecord[0][$modelClass][$key])) { unlink($thisRecord[0][$modelClass][$key]); } } } } } if ($this->ScaffoldModel->delete()) { $message = __d('cake', '%1$s com o id: %2$s foi apagado.', Inflector::humanize($this->modelClass), $id); return $this->_sendMessage($message); } else { $message = __d('cake', 'Houve um erro ao apagar %1$s com o id: %2$s', Inflector::humanize($this->modelClass), $id); return $this->_sendMessage($message); } } elseif ($this->controller->scaffoldError('delete') === false) { return $this->_scaffoldError(); } }