diff --git a/lib/Cake/Controller/Component/SecurityComponent.php b/lib/Cake/Controller/Component/SecurityComponent.php index 60fa92025..ff600cf85 100644 --- a/lib/Cake/Controller/Component/SecurityComponent.php +++ b/lib/Cake/Controller/Component/SecurityComponent.php @@ -203,17 +203,17 @@ class SecurityComponent extends Component { $this->_authRequired($controller); $isPost = ($this->request->is('post') || $this->request->is('put')); - $isRequestAction = ( + $isNotRequestAction = ( !isset($controller->request->params['requested']) || $controller->request->params['requested'] != 1 ); - if ($isPost && $isRequestAction && $this->validatePost) { + if ($isPost && $isNotRequestAction && $this->validatePost) { if ($this->_validatePost($controller) === false) { return $this->blackHole($controller, 'auth'); } } - if ($isPost && $this->csrfCheck) { + if ($isPost && $isNotRequestAction && $this->csrfCheck) { if ($this->_validateCsrf($controller) === false) { return $this->blackHole($controller, 'csrf'); } diff --git a/lib/Cake/Test/Case/Controller/Component/SecurityComponentTest.php b/lib/Cake/Test/Case/Controller/Component/SecurityComponentTest.php index e24625fbd..536c302ba 100644 --- a/lib/Cake/Test/Case/Controller/Component/SecurityComponentTest.php +++ b/lib/Cake/Test/Case/Controller/Component/SecurityComponentTest.php @@ -1036,6 +1036,23 @@ class SecurityComponentTest extends CakeTestCase { $this->assertTrue($this->Controller->Security->Session->check('_Token'), '_Token was deleted by blackHole %s'); } +/** + * test that csrf checks are skipped for request action. + * + * @return void + */ + public function testCsrfSkipRequestAction() { + $_SERVER['REQUEST_METHOD'] = 'POST'; + + $this->Security->validatePost = false; + $this->Security->csrfCheck = true; + $this->Security->csrfExpires = '+10 minutes'; + $this->Controller->request->params['requested'] = 1; + $this->Security->startup($this->Controller); + + $this->assertFalse($this->Controller->failed, 'fail() was called.'); + } + /** * test setting *