When using stateless authentication the current user should be cleared
after logout to maintain consistency with session based authentication.
Refs #10422
AuthComponent is storing JSON or any other AJAX request URL into the session variable Auth.redirect used for login redirect if the AJAX request does not send the X-Requested-With:XMLHttpRequest header.
If you send an ajax request without that header and your request is not a (.json) it will store the URL anyway.
I decided to leave the warning in. People who can't upgrade their
applications should at least be aware of the risks they are taking.
I'm flexible if people are strongly opposed to a warning, but I feel
that these kinds of warnings can be supressed in production if they
really are in a jam and don't care.
Refs #8282
If the request manages to have data set outside of post/put we should
still validate the request body. This expands SecurityComponent to cover
PATCH and DELETE methods, as well as request methods that should be
safe, but somehow end up not safe.
When an AJAX request is made to a page that's not authorized, an infinite redirect loop to /status:403/exit:1 is triggered. This bug has existed at least since CakePHP v2.3.0. The main use case is when a user's session has expired and they try to use an authenticated feature as a logged-out user.
Having maxLimit infer what it should be based on limit was not a very
transparent default behavior. The documentation states that maxLimit
will default to 100, but the code would default it to 'limit' if set.
This created confusing behavior when only one setting was defined.
Refs #5973
When paginating data, we should not ignore numerically indexed order
conditions. Instead they should be handled similar to Model::find().
This creates a slightly different behavior when model's have default
sorting applied as more default sort options forms will be honoured.
Refs #5964
