Fr3nch13/CakePHP Utilities

FormProtectionComponent extends Component
in package

Protects against form tampering. It ensures that:

  • Form's action (URL) is not modified.
  • Unknown / extra fields are not added to the form.
  • Existing fields have not been removed from the form.
  • Values of hidden inputs have not been changed.
Tags
psalm-property

array{validate:bool, unlockedFields:array, unlockedActions:array, validationFailureCallback:?\Closure} $_config

Table of Contents

Constants

DEFAULT_EXCEPTION_MESSAGE  = 'Form tampering protection token validation failed.'
Default message used for exceptions thrown.

Properties

$_componentMap  : array<string, array<string|int, mixed>>
A component lookup table used to lazy load component objects.
$_config  : array<string, mixed>
Runtime config
$_configInitialized  : bool
Whether the config property has already been configured with defaults
$_defaultConfig  : array<string, mixed>
Default config
$_registry  : ComponentRegistry
Component registry class used to lazy load components.
$components  : array<string|int, mixed>
Other Components this component uses.

Methods

__construct()  : mixed
Constructor
__debugInfo()  : array<string, mixed>
Returns an array that can be used to describe the internal state of this object.
__get()  : Component|null
Magic method for lazy loading $components.
configShallow()  : $this
Merge provided config with existing config. Unlike `config()` which does a recursive merge for nested keys, this method does a simple merge.
getConfig()  : mixed
Returns the config.
getConfigOrFail()  : mixed
Returns the config for this specific key.
getController()  : Controller
Get the controller this component is bound to.
implementedEvents()  : array<string, mixed>
Events supported by this component.
initialize()  : void
Constructor hook method.
log()  : bool
Convenience method to write a message to Log. See Log::write() for more information on writing to logs.
setConfig()  : $this
Sets the config.
startup()  : Response|null
Component startup.
_configDelete()  : void
Deletes a single config key.
_configRead()  : mixed
Reads a config key.
_configWrite()  : void
Writes a config key.
executeCallback()  : Response|null
Execute callback.
validationFailure()  : Response|null
Throws a 400 - Bad request exception or calls custom callback.

Constants

DEFAULT_EXCEPTION_MESSAGE

Default message used for exceptions thrown.

public string DEFAULT_EXCEPTION_MESSAGE = 'Form tampering protection token validation failed.'

Properties

$_componentMap

A component lookup table used to lazy load component objects.

protected array<string, array<string|int, mixed>> $_componentMap = []

$_configInitialized

Whether the config property has already been configured with defaults

protected bool $_configInitialized = false

$_defaultConfig

Default config

protected array<string, mixed> $_defaultConfig = ['validate' => true, 'unlockedFields' => [], 'unlockedActions' => [], 'validationFailureCallback' => null]
  • validate - Whether to validate request body / data. Set to false to disable for data coming from 3rd party services, etc.
  • unlockedFields - Form fields to exclude from validation. Fields can be unlocked either in the Component, or with FormHelper::unlockField(). Fields that have been unlocked are not required to be part of the POST and hidden unlocked fields do not have their values checked.
  • unlockedActions - Actions to exclude from POST validation checks.
  • validationFailureCallback - Callback to call in case of validation failure. Must be a valid Closure. Unset by default in which case exception is thrown on validation failure.

$components

Other Components this component uses.

protected array<string|int, mixed> $components = []

Methods

__construct()

Constructor

public __construct(ComponentRegistry $registry[, array<string, mixed> $config = [] ]) : mixed
Parameters
$registry : ComponentRegistry

A component registry this component can use to lazy load its components.

$config : array<string, mixed> = []

Array of configuration settings.

__debugInfo()

Returns an array that can be used to describe the internal state of this object.

public __debugInfo() : array<string, mixed>
Return values
array<string, mixed>

__get()

Magic method for lazy loading $components.

public __get(string $name) : Component|null
Parameters
$name : string

Name of component to get.

Return values
Component|null

A Component object or null.

configShallow()

Merge provided config with existing config. Unlike `config()` which does a recursive merge for nested keys, this method does a simple merge.

public configShallow(array<string, mixed>|string $key[, mixed|null $value = null ]) : $this

Setting a specific value:

$this->configShallow('key', $value);

Setting a nested value:

$this->configShallow('some.nested.key', $value);

Updating multiple config settings at the same time:

$this->configShallow(['one' => 'value', 'another' => 'value']);
Parameters
$key : array<string, mixed>|string

The key to set, or a complete array of configs.

$value : mixed|null = null

The value to set.

Return values
$this

getConfig()

Returns the config.

public getConfig([string|null $key = null ][, mixed $default = null ]) : mixed

Usage

Reading the whole config:

$this->getConfig();

Reading a specific value:

$this->getConfig('key');

Reading a nested value:

$this->getConfig('some.nested.key');

Reading with default value:

$this->getConfig('some-key', 'default-value');
Parameters
$key : string|null = null

The key to get or null for the whole config.

$default : mixed = null

The return value when the key does not exist.

Return values
mixed

Configuration data at the named key or null if the key does not exist.

getConfigOrFail()

Returns the config for this specific key.

public getConfigOrFail(string $key) : mixed

The config value for this key must exist, it can never be null.

Parameters
$key : string

The key to get.

Tags
throws
InvalidArgumentException
Return values
mixed

Configuration data at the named key

getController()

Get the controller this component is bound to.

public getController() : Controller
Return values
Controller

The bound controller.

implementedEvents()

Events supported by this component.

public implementedEvents() : array<string, mixed>
Return values
array<string, mixed>

initialize()

Constructor hook method.

public initialize(array<string, mixed> $config) : void

Implement this method to avoid having to overwrite the constructor and call parent.

Parameters
$config : array<string, mixed>

The configuration settings provided to this component.

log()

Convenience method to write a message to Log. See Log::write() for more information on writing to logs.

public log(string $message[, string|int $level = LogLevel::ERROR ][, array<string|int, mixed>|string $context = [] ]) : bool
Parameters
$message : string

Log message.

$level : string|int = LogLevel::ERROR

Error level.

$context : array<string|int, mixed>|string = []

Additional log data relevant to this message.

Return values
bool

Success of log write.

setConfig()

Sets the config.

public setConfig(array<string, mixed>|string $key[, mixed|null $value = null ][, bool $merge = true ]) : $this

Usage

Setting a specific value:

$this->setConfig('key', $value);

Setting a nested value:

$this->setConfig('some.nested.key', $value);

Updating multiple config settings at the same time:

$this->setConfig(['one' => 'value', 'another' => 'value']);
Parameters
$key : array<string, mixed>|string

The key to set, or a complete array of configs.

$value : mixed|null = null

The value to set.

$merge : bool = true

Whether to recursively merge or overwrite existing config, defaults to true.

Tags
throws
CakeException

When trying to set a key that is invalid.

Return values
$this

_configDelete()

Deletes a single config key.

protected _configDelete(string $key) : void
Parameters
$key : string

Key to delete.

Tags
throws
CakeException

if attempting to clobber existing config

_configRead()

Reads a config key.

protected _configRead(string|null $key) : mixed
Parameters
$key : string|null

Key to read.

_configWrite()

Writes a config key.

protected _configWrite(array<string, mixed>|string $key, mixed $value[, string|bool $merge = false ]) : void
Parameters
$key : array<string, mixed>|string

Key to write to.

$value : mixed

Value to write.

$merge : string|bool = false

True to merge recursively, 'shallow' for simple merge, false to overwrite, defaults to false.

Tags
throws
CakeException

if attempting to clobber existing config

validationFailure()

Throws a 400 - Bad request exception or calls custom callback.

protected validationFailure(FormProtector $formProtector) : Response|null

If validationFailureCallback config is specified, it will use this callback by executing the method passing the argument as exception.

Parameters
$formProtector : FormProtector

Form Protector instance.

Tags
throws
BadRequestException
Return values
Response|null

If specified, validationFailureCallback's response, or no return otherwise.


        

        
    




    

    

                                

                

                                
    

        On this page

        
    


                

                            

            

    

        

            
Search results