Commit graph

582 commits

Author SHA1 Message Date
chinpei215
26731b93bf Use ternary operator 2016-12-04 21:55:29 +09:00
chinpei215
b7481096c8 Fix redirectUrl issue when loginRedirect is empty
Fixes #9819
2016-12-04 20:06:24 +09:00
mark_story
27f951fb41 Don't emit errors when operating on corrupted cookie data.
When deleting from corrupted cookie data, there shouldn't be any errors.

Refs #9779
2016-12-03 14:10:47 -05:00
Rodrigo Pérez
20da4484de refs #backport-paginate-multiple-queries Backporting cakephp 3.3 feature to paginate multiple queries 2016-11-04 11:10:28 +00:00
xhs345
e1c5ef9e7a Add clear option to Flash Message
To give user the option to disable Stacking of messages and being consistent with 3.x
2016-10-30 20:39:00 -07:00
xhs345
c59fb85da8 Add support for stacking Flash messages
See Issue #7830
2016-10-28 09:10:01 -07:00
chinpei215
d7ae1c92e7 Backport test cases and make sure those pass 2016-10-16 22:04:24 +09:00
chinpei215
0d96b9ff64 Backport changes in SecurityComponent and FormHelper 2016-10-16 21:55:05 +09:00
Nicola Beghin
41851d60b4 fix HTTP Basic Auth on FastCGI PHP 2016-08-28 19:16:59 +02:00
mark_story
61b3fbd605 Merge branch '2.x' into 2.next 2016-08-09 22:12:26 -04:00
Kim Biesbjerg
f22129b9c7 Store user data in memory on login for stateless auth adapters 2016-07-06 00:25:46 +02:00
mark_story
432eb9c432 Merge branch '2.x' into 2.next 2016-06-27 21:47:47 -04:00
Iñigo In The Cloud
2c112095a9 Issue #9040 - Auth saving json in Auth.redirect
AuthComponent is storing JSON or any other AJAX request URL into the session variable Auth.redirect used for login redirect if the AJAX request does not send the X-Requested-With:XMLHttpRequest header.

If you send an ajax request without that header and your request is not a (.json) it will store the URL anyway.
2016-06-27 14:15:05 -04:00
Richard Torenvliet
e31ce0d58f Add the HTTP Patch to the Content-Type check mechanism
Currently when a request is of type 'patch' it is ignored. This commit makes
sure that the Content-Type is checked when a patch request is provided.
2016-05-18 14:54:52 +02:00
mscherer
dda9e83ab6 Refactor Object to CakeObject for future PHP7 comp. 2016-04-08 14:33:26 +02:00
mark_story
7df99fff1f Backport Security::randomBytes() to 2.x
I decided to leave the warning in. People who can't upgrade their
applications should at least be aware of the risks they are taking.

I'm flexible if people are strongly opposed to a warning, but I feel
that these kinds of warnings can be supressed in production if they
really are in a jam and don't care.

Refs #8282
2016-02-22 00:14:44 -05:00
Marc Würth
780b836d57 Deprecate SecurityComponent::requireAuth & SecurityComponent::requireAuth()
Backport of https://github.com/cakephp/cakephp/pull/8191
2016-02-10 13:37:10 +01:00
Edgaras Janušauskas
5b10e3cac2 Use mixed return type for AuthComponent::user() 2016-02-09 23:04:26 +02:00
mark_story
3b5a71df37 Merge branch '2.7' into 2.8 2016-01-28 21:51:59 -05:00
Edgaras Janušauskas
6e54a7391c Use more specific datatypes in PHPDoc 2016-01-28 23:10:51 +02:00
mark_story
3e67685c7c Merge branch '2.7' into 2.8 2016-01-21 21:46:51 -05:00
mark_story
4b8d628a2e Backport SecurityComponent fixes from #8071 to 2.x
If the request manages to have data set outside of post/put we should
still validate the request body. This expands SecurityComponent to cover
PATCH and DELETE methods, as well as request methods that should be
safe, but somehow end up not safe.
2016-01-20 21:34:58 -05:00
Mark Scherer
12b4c9ba24 Fix bracket syntax. 2015-12-23 21:45:15 +01:00
Mark Scherer
8b5ef12ccb Always return response in redirect() for testing. 2015-12-23 21:29:19 +01:00
Mark S
b76a235175 Remove default overwrites that are useless 2015-12-08 18:21:51 +01:00
mark_story
925647ae2b Simplify code used to generate plugin flash messages. 2015-10-17 20:59:02 -04:00
gmponos
fd50d1976a Flash Component was not handling plugin option 2015-10-17 20:55:52 -04:00
Mark Story
12f5aee5a2 Merge pull request #7447 from ravage84/2.7-lib-improvements
Various improvements to the CakePHP lib files
2015-09-25 12:14:00 -04:00
Marc Würth
e690662f0e Various improvments to the CakePH Plib files
Mostly CS, doc blocks and explicit returning nulls.
2015-09-25 17:11:20 +02:00
mark_story
9f20330d17 Fix fatal error on null subject.
Refs #7176
2015-08-05 22:20:39 -04:00
Mark Scherer
52e79987a2 Replacing self with static due to PHP5.3+. Following #7040. 2015-07-21 10:22:53 +02:00
David Yell
4af2e5489b Update deprecated method in docblocks
So that the docblock doesn't point you to another deprecated method which then points you to the actual method.
2015-07-17 16:14:06 +02:00
adam1010
1922a18d07 Ajax requests not properly returning 403
When an AJAX request is made to a page that's not authorized, an infinite redirect loop to  /status:403/exit:1  is triggered. This bug has existed at least since CakePHP v2.3.0. The main use case is when a user's session has expired and they try to use an authenticated feature as a logged-out user.
2015-07-16 22:47:13 -04:00
Highstrike
8257100f54 How about this? 2015-06-24 15:46:48 +03:00
Highstrike
58983f717a 2.7.0-RC Auth doesn't use the new Flash component
Changed 'Flash.' to 'Message.' and also provided backwards compatibility
in FlashHelper->render
2015-06-24 14:06:35 +03:00
mark_story
d7d8b90986 Merge branch '2.6' into 2.7 2015-05-28 19:34:59 -04:00
mark_story
65691836be Fix syntax errors in PHP <5.4 2015-05-28 17:39:52 -04:00
mark_story
995d8d22c6 Disable reading XML files and URLs when handling user data.
Allowing users to load arbitrary files/URLs with Xml is not desirable
when handing user input.
2015-05-27 09:45:53 -04:00
mark_story
0b916cedbb Merge branch 'master' into 2.7 2015-03-09 21:55:20 -04:00
mark_story
02c9dda9a7 Make maxLimit and limit settings independent.
Having maxLimit infer what it should be based on limit was not a very
transparent default behavior. The documentation states that maxLimit
will default to 100, but the code would default it to 'limit' if set.
This created confusing behavior when only one setting was defined.

Refs #5973
2015-02-27 22:35:52 -05:00
mark_story
63769ae4a6 Merge branch 'master' into 2.7
Conflicts:
	lib/Cake/VERSION.txt
2015-02-26 12:50:35 -05:00
mark_story
c92cfb413f Allow numeric sorts in PaginatorComponent.
When paginating data, we should not ignore numerically indexed order
conditions. Instead they should be handled similar to Model::find().

This creates a slightly different behavior when model's have default
sorting applied as more default sort options forms will be honoured.

Refs #5964
2015-02-25 21:38:56 -05:00
James Tancock
3cee029aa7 Removed usage of __() for InternalError 2015-02-12 15:09:18 +00:00
James Tancock
1cb670bdfa Add deprecated doctag for current methods 2015-02-10 08:15:01 +00:00
James Tancock
e173c29d33 Fix for phpcs 2015-02-04 15:31:50 +00:00
James Tancock
2ff6bdccec Back port of Flash component & helper 2015-02-04 12:18:31 +00:00
mark_story
ac9a212d44 Merge branch 'master' into 2.7
Conflicts:
	lib/Cake/Utility/String.php
2015-01-11 15:25:18 -05:00
antograssiot
c2f298a8b7 Replace our custom code fence with markdown standard fence 2015-01-09 13:47:25 +01:00
euromark
52ecccb1a2 App::uses and usage replacements for String => CakeText. 2015-01-05 01:00:57 +01:00
Mark Story
7bbc3dfd90 Merge pull request #5470 from cakephp/2.7-session
Backport Session consume() to 2.x
2014-12-26 12:22:20 -05:00
euromark
545ff20e1d Add component and helper wrapper methods. 2014-12-23 03:50:35 +01:00
Mark Story
1651e7742c Merge pull request #5088 from sebastienbarre/ticket-5041
Ticket #5041: have Auth::login() send Auth.afterIdentify event
2014-12-18 00:12:22 -05:00
mark_story
4d6611b328 Merge branch 'master' into 2.6
Conflicts:
	lib/Cake/VERSION.txt
2014-12-17 21:38:32 -05:00
euromark
e1c128bb99 Consolidate with conditions sniff. 2014-12-09 03:17:35 +01:00
Sebastien Barre
7da48669c8 Have BaseAuthenticate implement CakeEventListener instead 2014-11-22 13:31:38 -05:00
Sebastien Barre
50e5b5e8fe Move App::uses() again 2014-11-22 13:31:38 -05:00
Sebastien Barre
43413f029e Ticket 5041: have Auth::login() send Auth.afterIdentify event 2014-11-22 13:31:38 -05:00
euromark
41c646c5a1 Simplification of return types. No need to return more mixed than necessary. 2014-11-08 20:07:47 +01:00
euromark
345a18f15f Merge branch 'master' into 2.6 2014-11-05 23:29:06 +01:00
euromark
768f2c809c Correct doc block return types. 2014-11-05 13:03:27 +01:00
Sebastien Barre
2995d9319c Prepend model alias for safety 2014-11-01 09:36:59 -04:00
Sebastien Barre
417c137d11 Fix DigestAuthenticate test 2014-10-31 21:42:18 -04:00
Sebastien Barre
2f62ee2cde ticket #5017 add userFields setting to BaseAuthenticate 2014-10-31 15:00:19 -04:00
mark_story
b98d2a3365 Merge branch 'master' into 2.6 2014-10-24 22:05:46 -04:00
mark_story
cdc67116c5 Handle query string arguments in digest auth data.
Handle &, ? in digest auth data uri.

Refs #4908
2014-10-17 23:12:41 -04:00
mark_story
0d11cf7a33 Merge branch 'master' into 2.6 2014-09-14 23:26:33 -04:00
Joseph Sutton
faaba42aa7 Fixed type-casting for AuthComponent::login() 2014-09-14 11:15:08 -05:00
Joseph Sutton
87a58eeaea AuthComponent::login() returning deprecated method
Changed $this->loggedIn() to $this->user(), as per the PHPDOC for loggedIn() at line 817
2014-09-14 00:28:30 -05:00
ADmad
3fb252ad2f Merge branch 'master' into 2.6 2014-09-13 00:37:16 +05:30
euromark
04ef39217f Take care of more int casts. 2014-09-10 16:29:23 +02:00
euromark
e77f96d8b7 Use (int) cast instead of intval() function for performance reasons and to unify it. 2014-09-10 15:52:57 +02:00
mark_story
734bb9223b Merge branch 'master' into 2.6
Conflicts:
	lib/Cake/Core/App.php
	lib/Cake/VERSION.txt
2014-09-06 23:04:20 -04:00
Jeremy Harris
3a41433c94 Deprecated AuthComponent::mapActions 2014-09-04 08:35:40 -05:00
Marc Würth
67ba9cb406 Update all @deprecated annotations
to adhere to the @deprecated <version> <description> format, where version and description are mandatory.
2014-09-02 17:03:22 +02:00
Jeremy Harris
66b2173566 Made AuthComponent::mapActions() act as a getter refs #3331 2014-08-29 08:23:41 -05:00
euromark
5f5218f3b2 Fix cookie reading. 2014-08-06 22:53:54 +02:00
Steve Tauber
0af698c591 Updating RequestHandlerComponent to accept body of HTTP Delete requests 2014-07-29 16:08:33 +02:00
David Steinsland
b61972871a Fixed sending of headers when ajaxLogin is set 2014-07-22 13:21:42 +02:00
mark_story
b3dfad614a Correct pattern matching.
Instead of 10 digits, it should limit at 10 groups.

Refs 1988e89e73
2014-07-06 09:42:20 -04:00
Schlaefer
9fa7afa354 fixes #3887 CSRF reusable token expires 2014-07-06 10:39:00 +02:00
mark_story
1988e89e73 Add an upper bound to the POST data SecurityComponent will consider.
'Kurita Takashi' has let us know that the previous patterns could be
abused by an evil doer. One could potentially send a very large deeply
nested POST data structure. Matching that structure could overflow the
PCRE limits causing a segmentation fault. Adding an upper bound will
solve the problem and I doubt anyone is doing POST data structures with
more than 10 levels of nesting.
2014-07-03 22:02:00 -04:00
euromark
974ca851c2 Correct doc blocks according to cs guidelines.
Remove superfluous empty lines.
2014-07-03 15:36:42 +02:00
mark_story
b4bcd74e60 Whitelist more URL-y characters in digest parsing.
Android clients include a full URL instead of just the URI. Also handle
situations where URLencoded bytes and document fragments are used.

Refs #3779
2014-06-23 14:39:35 -04:00
Bryan Crowe
1db10b4dd1 Basic grammar update to BasicAuthenticate docblock 2014-06-16 21:48:35 -04:00
ADmad
4ee7cf6564 Remove lies from API docblock for BasicAuthenticate class.
Add info on how to configure for cookieless/stateless operation without redirection.
2014-06-08 14:05:08 +05:30
mark_story
07b43403fb Fix doc errors in Component/Acl. 2014-06-06 13:57:15 -04:00
mark_story
7058921275 Fix doc comment errors in Acl classes. 2014-06-05 00:15:45 -04:00
mark_story
975e4c3af0 Allow username of 0 in basic authentication.
Refs #3624
2014-06-02 22:02:28 -04:00
mark_story
d1e4dfac47 Add tests for #3624
The username of '0' should be accepted by FormAuthenticate.

Refs #3624
2014-06-02 21:58:50 -04:00
KeinBaum
88b3629f4f #3623: Allow username "0" with FormAuthenticate 2014-06-02 19:11:02 +02:00
ADmad
3d9b2b80cb More API docblock fixes. 2014-06-01 03:06:05 +05:30
mark_story
b2207c1ca8 Reverse conditions to make the cheapest condition first.
We don't need to do a count() if the page is not 1.

Refs #3333
2014-05-12 22:09:27 -04:00
Toby Cox
823f01601d enhancement to paginator
As pointed out, we need to make sure that we are also on the first page
to make this conditional clause valid
2014-05-12 21:49:08 -04:00
Toby Cox
296ea215b1 Enhancement to paginator
No point in finding the count (via model) if the returned result count
is less than our limit. We then know that the count is the count of our
results
2014-05-12 21:49:07 -04:00
Renan Gonçalves
87683b10f1 Allowing same Authenticate object to be setup with different settings. 2014-05-06 22:10:41 +02:00
ADmad
d466e00644 Merge branch 'master' into 2.5
Conflicts:
	lib/Cake/Model/Datasource/DboSource.php
	lib/Cake/Test/Case/Model/Datasource/Database/MysqlTest.php
	lib/Cake/Utility/Folder.php
	lib/Cake/VERSION.txt
2014-05-04 14:35:36 +05:30
euromark
7a287a6942 More coding standard corrections. 2014-04-29 14:19:33 +02:00
mark_story
de0062de77 Merge branch 'master' into 2.5 2014-04-25 22:10:02 -04:00
mark_story
f23d811ff5 Use the form action URL in generated form hashes.
By including the URL in generated hash for secured forms we prevent
a class of abuse where a user uses one secured form to post into a
controller action the form was not originally intended for. These cross
action requests could potentially violate developer's mental model of
how SecurityComponent works and produce unexpected/undesirable outcomes.

Thanks to Kurita Takashi for pointing this issue out, and suggesting
a fix.
2014-04-25 22:05:58 -04:00
mark_story
d54fbe6f60 Merge branch 'master' into 2.5 2014-04-18 22:13:56 -04:00