Setup
- CakePHP 3.4.6
- nginx
- SSL redirect for all URLs
- The app lies within a subfolder on the webserver and the nginx-config is appropriately set.
Issue
On the live server with SSL (on nginx) I get the following error when using postLink() to delete data (on any form):
URL mismatch in POST data (expected '/somewhere/delete/1001' but found
'/somewhere/delete/1001?url=%somewhere%2Fdelete%2F1001')
Cake\Controller\Exception\AuthSecurityException
toggle vendor stack frames
⟩ Cake\Controller\Component\SecurityComponent->_validatePost
CORE/src/Controller/Component/SecurityComponent.php, line 120
⟩ Cake\Controller\Component\SecurityComponent->startup
CORE/src/Event/EventManager.php, line 414
⟩ Cake\Event\EventManager->_callListener
CORE/src/Event/EventManager.php, line 391
⟩ Cake\Event\EventManager->dispatch
CORE/src/Event/EventDispatcherTrait.php, line 78
⟩ Cake\Controller\Controller->dispatchEvent
CORE/src/Controller/Controller.php, line 506
⟩ Cake\Controller\Controller->startupProcess
Posting form and saving them works completely fine. The URL seems to be rewritten somewhere during the request.
The HTML contains the action action="/somewhere/delete/1001"
So that seems to be fine. Maybe the nginx redirect is modifying this in an not allowed way. Because I have one rule like:
rewrite ^/project/abc/webroot/(.*) /project/abc/webroot/index.php?url=$1 last;
But I can't remove this rewrite without getting a 404.
However, can I allow this URLs in the beforeFilter for delete action somehow?
?url=$1part? Taking that off should probably fix the problem. - ahoffner