Class FormProtectionComponent

Protects against form tampering. It ensures that:

  • Form's action (URL) is not modified.
  • Unknown / extra fields are not added to the form.
  • Existing fields have not been removed from the form.
  • Values of hidden inputs have not been changed.
Namespace: Cake\Controller\Component

Constants summary

  • string
    DEFAULT_EXCEPTION_MESSAGE
    'Form tampering protection token validation failed.'

Properties summary

  • $_componentMap protected
    array

    A component lookup table used to lazy load component objects.

  • $_config protected
    array

    Runtime config

  • $_configInitialized protected
    bool

    Whether the config property has already been configured with defaults

  • $_defaultConfig protected
    array

    Default config

  • $_registry protected
    \Cake\Controller\ComponentRegistry

    Component registry class used to lazy load components.

  • $components public
    array

    Other Components this component uses.

Method Summary

Method Detail

__construct() public 

__construct(\Cake\Controller\ComponentRegistry $registry, array $config)

Constructor

Parameters

\Cake\Controller\ComponentRegistry $registry

A component registry this component can use to lazy load its components.

array $config optional

Array of configuration settings.

__debugInfo() public 

__debugInfo()

Returns an array that can be used to describe the internal state of this object.

Returns

array

__get() public 

__get(string $name)

Magic method for lazy loading $components.

Parameters

string $name

Name of component to get.

Returns

\Cake\Controller\Component|null

A Component object or null.

_configDelete() protected 

_configDelete(string $key)

Deletes a single config key.

Parameters

string $key

Key to delete.

Throws

Cake\Core\Exception\Exception
if attempting to clobber existing config

_configRead() protected 

_configRead(?string $key)

Reads a config key.

Parameters

string|null $key

Key to read.

Returns

mixed

_configWrite() protected 

_configWrite(mixed $key, mixed $value, mixed $merge)

Writes a config key.

Parameters

string|array $key

Key to write to.

mixed $value

Value to write.

bool|string $merge optional

True to merge recursively, 'shallow' for simple merge, false to overwrite, defaults to false.

Throws

Cake\Core\Exception\Exception
if attempting to clobber existing config

configShallow() public 

configShallow(mixed $key, mixed $value)

Merge provided config with existing config. Unlike config() which does a recursive merge for nested keys, this method does a simple merge.

Setting a specific value:

$this->configShallow('key', $value);

Setting a nested value:

$this->configShallow('some.nested.key', $value);

Updating multiple config settings at the same time:

$this->configShallow(['one' => 'value', 'another' => 'value']);

Parameters

string|array $key

The key to set, or a complete array of configs.

mixed|null $value optional

The value to set.

Returns

$this

executeCallback() protected 

executeCallback(\Closure $callback, \Cake\Http\Exception\BadRequestException $exception)

Execute callback.

Parameters

\Closure $callback

A valid callable

\Cake\Http\Exception\BadRequestException $exception

Exception instance.

Returns

\Cake\Http\Response|null

getConfig() public 

getConfig(?string $key, mixed $default)

Returns the config.

Usage

Reading the whole config:

$this->getConfig();

Reading a specific value:

$this->getConfig('key');

Reading a nested value:

$this->getConfig('some.nested.key');

Reading with default value:

$this->getConfig('some-key', 'default-value');

Parameters

string|null $key optional

The key to get or null for the whole config.

mixed $default optional

The return value when the key does not exist.

Returns

mixed

Configuration data at the named key or null if the key does not exist.

getConfigOrFail() public 

getConfigOrFail(string $key)

Returns the config for this specific key.

The config value for this key must exist, it can never be null.

Parameters

string $key

The key to get.

Returns

mixed

Configuration data at the named key

Throws

InvalidArgumentException

getController() public 

getController()

Get the controller this component is bound to.

Returns

\Cake\Controller\Controller

The bound controller.

implementedEvents() public 

implementedEvents()

Events supported by this component.

Returns

array

initialize() public 

initialize(array $config)

Constructor hook method.

Implement this method to avoid having to overwrite the constructor and call parent.

Parameters

array $config

The configuration settings provided to this component.

log() public 

log(string $message, mixed $level, mixed $context)

Convenience method to write a message to Log. See Log::write() for more information on writing to logs.

Parameters

string $message

Log message.

int|string $level optional

Error level.

string|array $context optional

Additional log data relevant to this message.

Returns

bool

Success of log write.

setConfig() public 

setConfig(mixed $key, mixed $value, mixed $merge)

Sets the config.

Usage

Setting a specific value:

$this->setConfig('key', $value);

Setting a nested value:

$this->setConfig('some.nested.key', $value);

Updating multiple config settings at the same time:

$this->setConfig(['one' => 'value', 'another' => 'value']);

Parameters

string|array $key

The key to set, or a complete array of configs.

mixed|null $value optional

The value to set.

bool $merge optional

Whether to recursively merge or overwrite existing config, defaults to true.

Returns

$this

Throws

Cake\Core\Exception\Exception
When trying to set a key that is invalid.

startup() public 

startup(\Cake\Event\EventInterface $event)

Component startup.

Token check happens here.

Parameters

\Cake\Event\EventInterface $event

An Event instance

Returns

\Cake\Http\Response|null

validationFailure() protected 

validationFailure(\Cake\Form\FormProtector $formProtector)

Throws a 400 - Bad request exception or calls custom callback.

If validationFailureCallback config is specified, it will use this callback by executing the method passing the argument as exception.

Parameters

\Cake\Form\FormProtector $formProtector

Form Protector instance.

Returns

\Cake\Http\Response|null

If specified, validationFailureCallback's response, or no return otherwise.

Throws

Cake\Http\Exception\BadRequestException

Property Detail

$_componentMap protected

A component lookup table used to lazy load component objects.

Type

array

$_config protected

Runtime config

Type

array

$_configInitialized protected

Whether the config property has already been configured with defaults

Type

bool

$_defaultConfig protected

Default config

  • validate - Whether to validate request body / data. Set to false to disable for data coming from 3rd party services, etc.
  • unlockedFields - Form fields to exclude from validation. Fields can be unlocked either in the Component, or with FormHelper::unlockField(). Fields that have been unlocked are not required to be part of the POST and hidden unlocked fields do not have their values checked.
  • unlockedActions - Actions to exclude from POST validation checks.
  • validationFailureCallback - Callback to call in case of validation failure. Must be a valid Closure. Unset by default in which case exception is thrown on validation failure.

Type

array

$_registry protected

Component registry class used to lazy load components.

Type

\Cake\Controller\ComponentRegistry

$components public

Other Components this component uses.

Type

array

© 2005–present The Cake Software Foundation, Inc.
Licensed under the MIT License.
CakePHP is a registered trademark of Cake Software Foundation, Inc.
We are not endorsed by or affiliated with CakePHP.
https://api.cakephp.org/4.1/class-Cake.Controller.Component.FormProtectionComponent.html