CakePHP和Facebook与安全组件打开 [英] CakePHP and Facebook with Security Component turned on

查看:70
本文介绍了CakePHP和Facebook与安全组件打开的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我要安全组件开启。



但是当你在Facebook选项卡中加载CakePHP应用程序时,FB将$ _REQUEST ['signed_request']发送到我的表单 - 这个问题是安全组件



如何解决这个问题?



我在文档中找不到任何东西来解决这个问题。



我想要的是以某种方式手动运行安全组件它只会在我实际提交表单时反应,而不是当Facebook将$ _REQUEST ['signed_request']发布到我的表单时。



UPDATE:

 <?php 
 App :: uses('CakeEmail','Network / Email'); 
 
 class PagesController extends AppController {
 public $ helpers = array('Html','Form'); 
 public $ components = array('RequestHandler'); 
 
 public function beforeFilter(){
 parent :: beforeFilter(); 
 $ this-> Auth-> allow('*'); 
 
 $ this-> Security-> validatePost = true; 
 $ this-> Security-> csrfCheck = true; 
 $ this-> Security-> unlockedFields [] ='signed_request'; 
} 
 
 public function home(){
 $ this-> loadModel('Memberx'); 
 if($ this-> request-> is('post')&& isset($ this-> request-> data ['Memberx'] ['name'])){ 
 //...save here ...等等... 
} 
} 
  


  public function beforeFilter(){
 parent :: beforeFilter 
 $ this-> Auth-> allow('*'); 
 
 $ this-> set('hasLiked',false); 
 
 if(isset($ this-> request-> data ['signed_request'])){
 $ this-> set('hasLiked',$ this-> hasLiked($ this-> request-> data ['signed_request'])); 
} 
 
 if(isset($ this-> request-> data ['Memberx'] ['signed_request'])){
 $ this-> set ('hasLiked',$ this-> hasLiked($ this-> request-> data ['Memberx'] ['signed_request'])); 
} 
 
 / * 
要回到Facebook的帖子$ _REQUEST ['signed_request'],
,我们取消设置$ _REQUEST ['signed_request']并禁用csrfCheck 
仅当我们设置了hasLiked视图变量
 * / 
 unset($ this-> request-> data ['signed_request']); 
 if(empty($ this-> request-> data)){
 $ this-> Security-> csrfCheck = false; 
} 
}

然后, 

 <?php 
 if($ hasLiked){
?> 
您已经喜欢了此页! 
<?php 
} 
?>


解决方案

  beforeFilter(){
 parent :: beforeFilter(); 
 $ this-> Auth-> allow('*'); 
 $ this-> _validateFbRequest(); 
} 
 
 protected function _valdiateFbRequest(){
 if(!isset($ this-> request-> data ['signed_request'])){
 //不是从fb 
的有效请求// throw exception或handle但是你想要
 return; 
} 
 $ signedRequest = $ this-> request-> data ['signed_request']; 
 unset($ this-> request-> data ['signed_request']); 
 if(empty($ this-> request-> data)){
 $ this-> Security-> csrfCheck = false; 
} 
 //验证请求
}


I want the Security Component turned on.

BUT when you load a CakePHP app inside a Facebook tab, FB posts $_REQUEST['signed_request'] to my form - the problem with this is that the Security Component "reacts" to this "post" and gives me validation errors, black-hole, etc.

How do I go around this?

I could not find anything on the documentation to go around this problem.

What I wanted was to somehow run the Security Component "manually" so that it only "reacts" when I actually submit my form and not when Facebook posts the $_REQUEST['signed_request'] to my form.

UPDATE:

<?php
App::uses('CakeEmail', 'Network/Email');

class PagesController extends AppController {
    public $helpers = array('Html','Form');
    public $components = array('RequestHandler');

    public function beforeFilter() {
        parent::beforeFilter();
        $this->Auth->allow('*');

         $this->Security->validatePost = true;
         $this->Security->csrfCheck = true;
         $this->Security->unlockedFields[] = 'signed_request';
    }

    public function home() {
        $this->loadModel('Memberx');
                if($this->request->is('post') && isset($this->request->data['Memberx']['name'])) {
                 //...save here, etc. ...
                }
    }

FYI: I get a "black hole" error.

FINAL UPDATE (After @tigrang's answer):

public function beforeFilter() {
    parent::beforeFilter();
    $this->Auth->allow('*');

    $this->set('hasLiked', false);

    if(isset($this->request->data['signed_request'])){
        $this->set('hasLiked', $this->hasLiked($this->request->data['signed_request']));
    } 

    if(isset($this->request->data['Memberx']['signed_request'])) {
        $this->set('hasLiked', $this->hasLiked($this->request->data['Memberx']['signed_request']));  
    }

    /* 
    To go around Facebook's post $_REQUEST['signed_request'],
    we unset the $_REQUEST['signed_request'] and disable the csrfCheck
    ONLY after we have set the hasLiked view variable
    */
    unset($this->request->data['signed_request']);
    if (empty($this->request->data)) {
       $this->Security->csrfCheck = false;
    }        
}

Then, I do something like below in my views:

<?php
if($hasLiked) {
?>
    You have liked this page!
<?php
}
?>

解决方案 

public function beforeFilter() {
    parent::beforeFilter();
    $this->Auth->allow('*');
    $this->_validateFbRequest();
}

protected function _valdiateFbRequest() {
   if (!isset($this->request->data['signed_request'])) {
       // not a valid request from fb
       // throw exception or handle however you want
       return;
   }
   $signedRequest = $this->request->data['signed_request'];
   unset($this->request->data['signed_request']);
   if (empty($this->request->data)) {
       $this->Security->csrfCheck = false;
   }
   // validate the request
}

这篇关于CakePHP和Facebook与安全组件打开的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
相关文章
PHP最新文章
热门教程
热门工具
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆