CakePHP和Facebook与安全组件打开 [英] CakePHP and Facebook with Security Component turned on
问题描述
我要安全组件开启。
但是当你在Facebook选项卡中加载CakePHP应用程序时,FB将$ _REQUEST ['signed_request']发送到我的表单 - 这个问题是安全组件
如何解决这个问题?
我在文档中找不到任何东西来解决这个问题。
我想要的是以某种方式手动运行安全组件它只会在我实际提交表单时反应,而不是当Facebook将$ _REQUEST ['signed_request']发布到我的表单时。
UPDATE:
<?php
App :: uses('CakeEmail','Network / Email');
class PagesController extends AppController {
public $ helpers = array('Html','Form');
public $ components = array('RequestHandler');
public function beforeFilter(){
parent :: beforeFilter();
$ this-> Auth-> allow('*');
$ this-> Security-> validatePost = true;
$ this-> Security-> csrfCheck = true;
$ this-> Security-> unlockedFields [] ='signed_request';
}
public function home(){
$ this-> loadModel('Memberx');
if($ this-> request-> is('post')&& isset($ this-> request-> data ['Memberx'] ['name'])){
//...save here ...等等...
}
}
public function beforeFilter(){
parent :: beforeFilter
$ this-> Auth-> allow('*');
$ this-> set('hasLiked',false);
if(isset($ this-> request-> data ['signed_request'])){
$ this-> set('hasLiked',$ this-> hasLiked($ this-> request-> data ['signed_request']));
}
if(isset($ this-> request-> data ['Memberx'] ['signed_request'])){
$ this-> set ('hasLiked',$ this-> hasLiked($ this-> request-> data ['Memberx'] ['signed_request']));
}
/ *
要回到Facebook的帖子$ _REQUEST ['signed_request'],
,我们取消设置$ _REQUEST ['signed_request']并禁用csrfCheck
仅当我们设置了hasLiked视图变量
* /
unset($ this-> request-> data ['signed_request']);
if(empty($ this-> request-> data)){
$ this-> Security-> csrfCheck = false;
}
}
然后,
<?php
if($ hasLiked){
?>
您已经喜欢了此页!
<?php
}
?>
beforeFilter(){
parent :: beforeFilter();
$ this-> Auth-> allow('*');
$ this-> _validateFbRequest();
}
protected function _valdiateFbRequest(){
if(!isset($ this-> request-> data ['signed_request'])){
//不是从fb
的有效请求// throw exception或handle但是你想要
return;
}
$ signedRequest = $ this-> request-> data ['signed_request'];
unset($ this-> request-> data ['signed_request']);
if(empty($ this-> request-> data)){
$ this-> Security-> csrfCheck = false;
}
//验证请求
}
I want the Security Component turned on.
BUT when you load a CakePHP app inside a Facebook tab, FB posts $_REQUEST['signed_request'] to my form - the problem with this is that the Security Component "reacts" to this "post" and gives me validation errors, black-hole, etc.
How do I go around this?
I could not find anything on the documentation to go around this problem.
What I wanted was to somehow run the Security Component "manually" so that it only "reacts" when I actually submit my form and not when Facebook posts the $_REQUEST['signed_request'] to my form.
UPDATE:
<?php
App::uses('CakeEmail', 'Network/Email');
class PagesController extends AppController {
public $helpers = array('Html','Form');
public $components = array('RequestHandler');
public function beforeFilter() {
parent::beforeFilter();
$this->Auth->allow('*');
$this->Security->validatePost = true;
$this->Security->csrfCheck = true;
$this->Security->unlockedFields[] = 'signed_request';
}
public function home() {
$this->loadModel('Memberx');
if($this->request->is('post') && isset($this->request->data['Memberx']['name'])) {
//...save here, etc. ...
}
}
FYI: I get a "black hole" error.
FINAL UPDATE (After @tigrang's answer):
public function beforeFilter() {
parent::beforeFilter();
$this->Auth->allow('*');
$this->set('hasLiked', false);
if(isset($this->request->data['signed_request'])){
$this->set('hasLiked', $this->hasLiked($this->request->data['signed_request']));
}
if(isset($this->request->data['Memberx']['signed_request'])) {
$this->set('hasLiked', $this->hasLiked($this->request->data['Memberx']['signed_request']));
}
/*
To go around Facebook's post $_REQUEST['signed_request'],
we unset the $_REQUEST['signed_request'] and disable the csrfCheck
ONLY after we have set the hasLiked view variable
*/
unset($this->request->data['signed_request']);
if (empty($this->request->data)) {
$this->Security->csrfCheck = false;
}
}
Then, I do something like below in my views:
<?php
if($hasLiked) {
?>
You have liked this page!
<?php
}
?>
public function beforeFilter() {
parent::beforeFilter();
$this->Auth->allow('*');
$this->_validateFbRequest();
}
protected function _valdiateFbRequest() {
if (!isset($this->request->data['signed_request'])) {
// not a valid request from fb
// throw exception or handle however you want
return;
}
$signedRequest = $this->request->data['signed_request'];
unset($this->request->data['signed_request']);
if (empty($this->request->data)) {
$this->Security->csrfCheck = false;
}
// validate the request
}
这篇关于CakePHP和Facebook与安全组件打开的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!