CakePHP: using Security::allowedControllers and Security::allowedActions

2
votes

I'm trying to use Security::allowedControllers and Security::allowedActions. So I have a controller which look more or less like this

class AppController extends Controller {
    var $components = array('Security'); //other components
    //other stuff
}

class BookController extends AppController {
    function beforeFilter() {
        parent::beforeFilter();
        $this->Security->allowedControllers = array('Users');
        $this->Security->allowedActions = array('view');
        $this->Security->RequireAuth = array('search', 'results');
    }
    //other stuff
}

The action 'search' displays a form, which then calls 'results' to show the results of the search. I am intentionally trying to be blackholed.

For what I understand of $this->Security->allowedControllers and $this->Security->allowedActions, I should be able to get POST data only from the action 'view' of the controller 'Users'. In particular the action 'results' should redirect me to a black hole, since it obtains POST data from the action 'search' of the controller 'Books'.

But this is not the case. I can even make cross controller requests, and never get blackholed, so I guess I'm not using correctly this variables. What is the right way to trigger cross-controller requests control?

2
phpsecuritycakephp
You may want to add the "php" tag to this question to attract more viewers (even though it is very cake specific). - Pekka
And, totally unrelated :) I just clicked through to your home page, Gasse can't be abbreviated with ß in German. Just in case. - Pekka
Thank you for the German tip, I will fix it! ;-) - Andrea
I was, when I wrote the question. The application was developed for 1.2 since 1.3 was not out yet whn I began. - Andrea

2 Answers

0
votes

Try this:

$this->Security->allowedFields = array('Model.fieldname', ...);

You need to add the fields that are not in the model to the allowedFields like I guess your Model.search field in the form.