CakePHP
  • Documentation
    • Book
    • API
    • Videos
    • Logos & Trademarks
  • Business Solutions
  • Swag
  • Road Trip
  • Team
  • Community
    • Community
    • Team
    • Issues (Github)
    • YouTube Channel
    • Get Involved
    • Bakery
    • Featured Resources
    • Newsletter
    • Certification
    • My CakePHP
    • CakeFest
    • Facebook
    • Twitter
    • Help & Support
    • Forum
    • Stack Overflow
    • IRC
    • Slack
    • Paid Support
CakePHP

C CakePHP 3.7 Red Velvet API

  • Overview
  • Tree
  • Deprecated
  • Version:
    • 3.7
      • 3.7
      • 3.6
      • 3.5
      • 3.4
      • 3.3
      • 3.2
      • 3.1
      • 3.0
      • 2.10
      • 2.9
      • 2.8
      • 2.7
      • 2.6
      • 2.5
      • 2.4
      • 2.3
      • 2.2
      • 2.1
      • 2.0
      • 1.3
      • 1.2

Namespaces

  • Cake
    • Auth
      • Storage
    • Cache
      • Engine
    • Collection
      • Iterator
    • Command
    • Console
      • Exception
    • Controller
      • Component
      • Exception
    • Core
      • Configure
        • Engine
      • Exception
      • Retry
    • Database
      • Driver
      • Exception
      • Expression
      • Schema
      • Statement
      • Type
    • Datasource
      • Exception
    • Error
      • Middleware
    • Event
      • Decorator
    • Filesystem
    • Form
    • Http
      • Client
        • Adapter
        • Auth
      • Cookie
      • Exception
      • Middleware
      • Session
    • I18n
      • Formatter
      • Middleware
      • Parser
    • Log
      • Engine
    • Mailer
      • Exception
      • Transport
    • Network
      • Exception
    • ORM
      • Association
      • Behavior
        • Translate
      • Exception
      • Locator
      • Rule
    • Routing
      • Exception
      • Filter
      • Middleware
      • Route
    • Shell
      • Helper
      • Task
    • TestSuite
      • Fixture
      • Stub
    • Utility
      • Exception
    • Validation
    • View
      • Exception
      • Form
      • Helper
      • Widget
  • None

Classes

  • AuthComponent
  • CookieComponent
  • CsrfComponent
  • FlashComponent
  • PaginatorComponent
  • RequestHandlerComponent
  • SecurityComponent

Class SecurityComponent

The Security Component creates an easy way to integrate tighter security in your application. It provides methods for various tasks like:

  • Restricting which HTTP methods your application accepts.
  • Form tampering protection
  • Requiring that SSL be used.
  • Limiting cross controller communication.
Cake\Controller\Component implements Cake\Event\EventListenerInterface uses Cake\Core\InstanceConfigTrait , Cake\Log\LogTrait
Extended by Cake\Controller\Component\SecurityComponent
Namespace: Cake\Controller\Component
Link: https://book.cakephp.org/3.0/en/controllers/components/security.html
Location: Controller/Component/SecurityComponent.php

Constants summary

  • string
    DEFAULT_EXCEPTION_MESSAGE ¶
    'The request has been black-holed'

Properties summary

  • $_action protected
    string
    Holds the current action of the controller
  • $_defaultConfig protected
    array
    Default config
  • $session public
    Cake\Http\Session
    The Session object

Inherited Properties

  • _componentMap, _registry, components, request, response _config, _configInitialized

Method Summary

  • _authRequired() protected
    Check if authentication is required
  • _callback() protected
    Calls a controller callback method
  • _debugCheckFields() protected
    Iterates data array to check against expected
  • _debugExpectedFields() protected
    Generate debug message for the expected fields
  • _debugPostTokenNotMatching() protected
    Create a message for humans to understand why Security token is not matching
  • _fieldsList() protected
    Return the fields list for the hash calculation
  • _hashParts() protected
    Return hash parts for the Token generation
  • _matchExistingFields() protected

    Generate array of messages for the existing fields in POST data, matching dataFields in $expectedFields will be unset

  • _requireMethod() protected
    Sets the actions that require a $method HTTP request, or empty for all actions
  • _secureRequired() protected
    Check if access requires secure connection
  • _sortedUnlocked() protected
    Get the sorted unlocked string
  • _throwException() protected
    Check debug status and throw an Exception based on the existing one
  • _unlocked() protected
    Get the unlocked string
  • _validToken() protected
    Check if token is valid
  • _validatePost() protected
    Validate submitted form
  • blackHole() public

    Black-hole an invalid request with a 400 error or custom callback. If SecurityComponent::$blackHoleCallback is specified, it will use this callback by executing the method indicated in $error

  • generateToken() public

    Manually add form tampering prevention token information into the provided request object.

  • implementedEvents() public
    Events supported by this component.
  • requireAuth() public
    Sets the actions that require whitelisted form submissions.
  • requireSecure() public
    Sets the actions that require a request that is SSL-secured, or empty for all actions
  • startup() public
    Component startup. All security checking happens here.

Method Detail

_authRequired() protected ¶

_authRequired( Cake\Controller\Controller $controller )

Check if authentication is required

Deprecated
3.2.2 This feature is confusing and not useful.
Parameters
Cake\Controller\Controller $controller
Instantiating controller
Returns
boolean
true if authentication required

_callback() protected ¶

_callback( Cake\Controller\Controller $controller , string $method , array $params [] )

Calls a controller callback method

Parameters
Cake\Controller\Controller $controller
Instantiating controller
string $method
Method to execute
array $params optional []
Parameters to send to method
Returns
mixed
Controller callback method's response
Throws
Cake\Http\Exception\BadRequestException
When a the blackholeCallback is not callable.

_debugCheckFields() protected ¶

_debugCheckFields( array $dataFields , array $expectedFields [] , string $intKeyMessage '' , string $stringKeyMessage '' , string $missingMessage '' )

Iterates data array to check against expected

Parameters
array $dataFields
Fields array, containing the POST data fields
array $expectedFields optional []
Fields array, containing the expected fields we should have in POST
string $intKeyMessage optional ''
Message string if unexpected found in data fields indexed by int (not protected)
string $stringKeyMessage optional ''
Message string if tampered found in data fields indexed by string (protected)
string $missingMessage optional ''
Message string if missing field
Returns
array
Messages

_debugExpectedFields() protected ¶

_debugExpectedFields( array $expectedFields [] , string $missingMessage '' )

Generate debug message for the expected fields

Parameters
array $expectedFields optional []
Expected fields
string $missingMessage optional ''
Message template
Returns
string|null
Error message about expected fields

_debugPostTokenNotMatching() protected ¶

_debugPostTokenNotMatching( Cake\Controller\Controller $controller , array $hashParts )

Create a message for humans to understand why Security token is not matching

Parameters
Cake\Controller\Controller $controller
Instantiating controller
array $hashParts
Elements used to generate the Token hash
Returns
string
Message explaining why the tokens are not matching

_fieldsList() protected ¶

_fieldsList( array $check )

Return the fields list for the hash calculation

Parameters
array $check
Data array
Returns
array

_hashParts() protected ¶

_hashParts( Cake\Controller\Controller $controller )

Return hash parts for the Token generation

Parameters
Cake\Controller\Controller $controller
Instantiating controller
Returns
array

_matchExistingFields() protected ¶

_matchExistingFields( array $dataFields , array $expectedFields , string $intKeyMessage , string $stringKeyMessage )

Generate array of messages for the existing fields in POST data, matching dataFields in $expectedFields will be unset

Parameters
array $dataFields
Fields array, containing the POST data fields
array $expectedFields
Fields array, containing the expected fields we should have in POST
string $intKeyMessage
Message string if unexpected found in data fields indexed by int (not protected)
string $stringKeyMessage
Message string if tampered found in data fields indexed by string (protected)
Returns
array
Error messages

_requireMethod() protected ¶

_requireMethod( string $method , array $actions [] )

Sets the actions that require a $method HTTP request, or empty for all actions

Parameters
string $method
The HTTP method to assign controller actions to
array $actions optional []
Controller actions to set the required HTTP method to.

_secureRequired() protected ¶

_secureRequired( Cake\Controller\Controller $controller )

Check if access requires secure connection

Parameters
Cake\Controller\Controller $controller
Instantiating controller
Returns
boolean
true if secure connection required

_sortedUnlocked() protected ¶

_sortedUnlocked( array $data )

Get the sorted unlocked string

Parameters
array $data
Data array
Returns
string

_throwException() protected ¶

_throwException( Cake\Controller\Exception\SecurityException|null $exception null )

Check debug status and throw an Exception based on the existing one

Parameters
Cake\Controller\Exception\SecurityException|null $exception optional null
Additional debug info describing the cause
Throws
Cake\Http\Exception\BadRequestException

_unlocked() protected ¶

_unlocked( array $data )

Get the unlocked string

Parameters
array $data
Data array
Returns
string

_validToken() protected ¶

_validToken( Cake\Controller\Controller $controller )

Check if token is valid

Parameters
Cake\Controller\Controller $controller
Instantiating controller
Returns
string
fields token
Throws
Cake\Controller\Exception\SecurityException

_validatePost() protected ¶

_validatePost( Cake\Controller\Controller $controller )

Validate submitted form

Parameters
Cake\Controller\Controller $controller
Instantiating controller
Returns
boolean
true if submitted form is valid
Throws
Cake\Controller\Exception\AuthSecurityException

blackHole() public ¶

blackHole( Cake\Controller\Controller $controller , string $error '' , Cake\Controller\Exception\SecurityException $exception null )

Black-hole an invalid request with a 400 error or custom callback. If SecurityComponent::$blackHoleCallback is specified, it will use this callback by executing the method indicated in $error

Parameters
Cake\Controller\Controller $controller
Instantiating controller
string $error optional ''
Error method
Cake\Controller\Exception\SecurityException $exception optional null
Additional debug info describing the cause
Returns
mixed
If specified, controller blackHoleCallback's response, or no return otherwise
Throws
Cake\Http\Exception\BadRequestException
See
\Cake\Controller\Component\SecurityComponent::$blackHoleCallback
Link
https://book.cakephp.org/3.0/en/controllers/components/security.html#handling-blackhole-callbacks

generateToken() public ¶

generateToken( Cake\Http\ServerRequest $request )

Manually add form tampering prevention token information into the provided request object.

Parameters
Cake\Http\ServerRequest $request
The request object to add into.
Returns
Cake\Http\ServerRequest
The modified request.

implementedEvents() public ¶

implementedEvents( )

Events supported by this component.

Returns
array
Overrides
Cake\Controller\Component::implementedEvents()

requireAuth() public ¶

requireAuth( string|array $actions )

Sets the actions that require whitelisted form submissions.

Adding actions with this method will enforce the restrictions set in SecurityComponent::$allowedControllers and SecurityComponent::$allowedActions.

Deprecated
3.2.2 This feature is confusing and not useful.
Parameters
string|array $actions
Actions list

requireSecure() public ¶

requireSecure( string|array|null $actions null )

Sets the actions that require a request that is SSL-secured, or empty for all actions

Parameters
string|array|null $actions optional null
Actions list

startup() public ¶

startup( Cake\Event\Event $event )

Component startup. All security checking happens here.

Parameters
Cake\Event\Event $event
An Event instance
Returns
mixed

Methods inherited from Cake\Controller\Component

__construct() public ¶

__construct( Cake\Controller\ComponentRegistry $registry , array $config [] )

Constructor

Parameters
Cake\Controller\ComponentRegistry $registry
A ComponentRegistry this component can use to lazy load its components
array $config optional []
Array of configuration settings.

__debugInfo() public ¶

__debugInfo( )

Returns an array that can be used to describe the internal state of this object.

Returns
array

__get() public ¶

__get( string $name )

Magic method for lazy loading $components.

Parameters
string $name
Name of component to get.
Returns
mixed
A Component object or null.

getController() public ¶

getController( )

Get the controller this component is bound to.

Returns
Cake\Controller\Controller
The bound controller.

initialize() public ¶

initialize( array $config )

Constructor hook method.

Implement this method to avoid having to overwrite the constructor and call parent.

Parameters
array $config
The configuration settings provided to this component.

Methods used from Cake\Core\InstanceConfigTrait

_configDelete() protected ¶

_configDelete( string $key )

Deletes a single config key.

Parameters
string $key
Key to delete.
Throws
Cake\Core\Exception\Exception
if attempting to clobber existing config

_configRead() protected ¶

_configRead( string|null $key )

Reads a config key.

Parameters
string|null $key
Key to read.
Returns
mixed

_configWrite() protected ¶

_configWrite( string|array $key , mixed $value , boolean|string $merge false )

Writes a config key.

Parameters
string|array $key
Key to write to.
mixed $value
Value to write.
boolean|string $merge optional false

True to merge recursively, 'shallow' for simple merge, false to overwrite, defaults to false.

Throws
Cake\Core\Exception\Exception
if attempting to clobber existing config

config() public ¶

config( string|array|null $key null , mixed|null $value null , boolean $merge true )

Gets/Sets the config.

Usage

Reading the whole config:

$this->config();

Reading a specific value:

$this->config('key');

Reading a nested value:

$this->config('some.nested.key');

Setting a specific value:

$this->config('key', $value);

Setting a nested value:

$this->config('some.nested.key', $value);

Updating multiple config settings at the same time:

$this->config(['one' => 'value', 'another' => 'value']);
Deprecated
3.4.0 use setConfig()/getConfig() instead.
Parameters
string|array|null $key optional null
The key to get/set, or a complete array of configs.
mixed|null $value optional null
The value to set.
boolean $merge optional true
Whether to recursively merge or overwrite existing config, defaults to true.
Returns
mixed
Config value being read, or the object itself on write operations.
Throws
Cake\Core\Exception\Exception
When trying to set a key that is invalid.

configShallow() public ¶

configShallow( string|array $key , mixed|null $value null )

Merge provided config with existing config. Unlike config() which does a recursive merge for nested keys, this method does a simple merge.

Setting a specific value:

$this->configShallow('key', $value);

Setting a nested value:

$this->configShallow('some.nested.key', $value);

Updating multiple config settings at the same time:

$this->configShallow(['one' => 'value', 'another' => 'value']);
Parameters
string|array $key
The key to set, or a complete array of configs.
mixed|null $value optional null
The value to set.
Returns

$this

getConfig() public ¶

getConfig( string|null $key null , mixed $default null )

Returns the config.

Usage

Reading the whole config:

$this->getConfig();

Reading a specific value:

$this->getConfig('key');

Reading a nested value:

$this->getConfig('some.nested.key');

Reading with default value:

$this->getConfig('some-key', 'default-value');
Parameters
string|null $key optional null
The key to get or null for the whole config.
mixed $default optional null
The return value when the key does not exist.
Returns
mixed
Config value being read.

setConfig() public ¶

setConfig( string|array $key , mixed|null $value null , boolean $merge true )

Sets the config.

Usage

Setting a specific value:

$this->setConfig('key', $value);

Setting a nested value:

$this->setConfig('some.nested.key', $value);

Updating multiple config settings at the same time:

$this->setConfig(['one' => 'value', 'another' => 'value']);
Parameters
string|array $key
The key to set, or a complete array of configs.
mixed|null $value optional null
The value to set.
boolean $merge optional true
Whether to recursively merge or overwrite existing config, defaults to true.
Returns

$this
Throws
Cake\Core\Exception\Exception
When trying to set a key that is invalid.

Methods used from Cake\Log\LogTrait

log() public ¶

log( mixed $msg , integer|string $level LogLevel::ERROR , string|array $context [] )

Convenience method to write a message to Log. See Log::write() for more information on writing to logs.

Parameters
mixed $msg
Log message.
integer|string $level optional LogLevel::ERROR
Error level.
string|array $context optional []
Additional log data relevant to this message.
Returns
boolean
Success of log write.

Properties detail

$_action ¶

protected string

Holds the current action of the controller

$_defaultConfig ¶

protected array

Default config

  • blackHoleCallback - The controller method that will be called if this request is black-hole'd.
  • requireSecure - List of actions that require an SSL-secured connection.
  • requireAuth - List of actions that require a valid authentication key. Deprecated as of 3.2.2
  • allowedControllers - Controllers from which actions of the current controller are allowed to receive requests.
  • allowedActions - Actions from which actions of the current controller are allowed to receive requests.
  • unlockedFields - Form fields to exclude from POST validation. Fields can be unlocked either in the Component, or with FormHelper::unlockField(). Fields that have been unlocked are not required to be part of the POST and hidden unlocked fields do not have their values checked.
  • unlockedActions - Actions to exclude from POST validation checks. Other checks like requireAuth(), requireSecure() etc. will still be applied.
  • validatePost - Whether to validate POST data. Set to false to disable for data coming from 3rd party services, etc.
[
    'blackHoleCallback' => null,
    'requireSecure' => [],
    'requireAuth' => [],
    'allowedControllers' => [],
    'allowedActions' => [],
    'unlockedFields' => [],
    'unlockedActions' => [],
    'validatePost' => true
]

$session ¶

public Cake\Http\Session

The Session object

Follow @CakePHP
#IRC
OpenHub
Rackspace
  • Business Solutions
  • Showcase
  • Documentation
  • Book
  • API
  • Videos
  • Logos & Trademarks
  • Community
  • Team
  • Issues (Github)
  • YouTube Channel
  • Get Involved
  • Bakery
  • Featured Resources
  • Newsletter
  • Certification
  • My CakePHP
  • CakeFest
  • Facebook
  • Twitter
  • Help & Support
  • Forum
  • Stack Overflow
  • IRC
  • Slack
  • Paid Support

Generated using CakePHP API Docs