CakePHP 3.8. Security Component - FormHelper end() method - cakephp-3.0

Exact Problem and the Solution
Upon activating the CakePHP (3) Security Component, when loading a form, you generate three hidden fields in the form. These are '_Token[fields]', '_Token[unlocked]' and '_Token[debug]'. What exactly happens is the Form->end() method calls the secure() method (see FormHelper) when the request data contains a ['Token'] parameter.
The forms that were not working for me were all forms rendered as an Element. For these forms, the '$this->request->params' did not contain the parameter normally generated by the Security Component.
Solution was in manually adding the parameter to the request data..
$this->request->params['_Token'] = ['unlockedFields' => []];
This than runs through the secure() method of FormHelper, as it should, and token parameters are correctly added.
Original Question
I have an issue using the SecurityComponent of CakePHP 3.8.
Everything was working fine, until I loaded Component in my AppController.
If (!$this->request->is('ajax')) {
$this->loadComponent('Security');
}
My forms were working fine, but upon activating the component I get an error message. Apparently using the Security Component checks for an additional token apart from the csrf-token.
'_Token' was not found in request data.
I found a solution in customizing the Form->end() method.
"The end() method closes and completes a form. Often, end() will only
output a closing form tag, but using end() is a good practice as it
enables FormHelper to insert the hidden form elements that
Cake\Controller\Component\SecurityComponent requires."
I customized my end method as suggested in documentation:
echo $this->Form->end(['data-type' => 'hidden']);
But my output in HTML differs from the output in the documentation..
Documentation Output:
<div style="display:none;">
<input type="hidden" name="_Token[fields]" data-type="hidden"
value="2981c38990f3f6ba935e6561dc77277966fabd6d%3AAddresses.id">
<input type="hidden" name="_Token[unlocked]" data-type="hidden"
value="address%7Cfirst_name">
</div>
Example of a non-working form..
echo $this->Form->create($athlete, ['url' => ['controller' => 'Athletesux', 'action' => $action]]);
echo $this->Form->control('user_id', ['type' => 'hidden', 'value' => $userid]);
echo $this->Form->control('first_name');
echo $this->Form->control('last_name');
echo $this->Form->control('threek_time', ['value' => $athlete['3K_time']]);
echo $this->Form->control('fivek_time', ['value' => $athlete['5K_time']]);
echo $this->Form->control('tenk_time', ['value' => $athlete['10K_time']]);
echo $this->Form->select('country', $countryoptions);
echo $this->Form->select('gender', $gender);
echo $this->Form->button('Add Athlete');
echo $this->Form->end();
My output contains only one hidden field, for '_csrfToken'...
Can anyone explain what I can do about this? I don't find much information on this..
Thanks!

Related

Transactional Emails - Default Styling and Variables in Magento 1.9

I'm looking for 2 specific variables.
Wishlist - The var_message variable has some styling to it that im trying to edit.
Abandoned Carts - pulls on this extension URL : connector/email/basket/code/secret/quote_id/*****
And im unable to find the location of the file that is accessed by that URL or command.
Any assistance that can be provided would be greatly appreciated.
Also if someone could tell me how i might trace the locations of these things without "Just knowing" that would be grand too.
Kind Regards,
the correct variable name is message (not var_message)
variable message is populated in controller Mage_Wishlist_IndexController
inside method sendAction
here it is:
$emailModel = Mage::getModel('core/email_template');
$sharingCode = $wishlist->getSharingCode();
foreach ($emails as $email) {
$emailModel->sendTransactional(
Mage::getStoreConfig('wishlist/email/email_template'),
Mage::getStoreConfig('wishlist/email/email_identity'),
$email,
null,
array(
'customer' => $customer,
'salable' => $wishlist->isSalable() ? 'yes' : '',
'items' => $wishlistBlock,
'addAllLink' => Mage::getUrl('*/shared/allcart', array('code' => $sharingCode)),
'viewOnSiteLink' => Mage::getUrl('*/shared/index', array('code' => $sharingCode)),
'message' => $message
)
);
}
$wishlist->setShared(1);
$wishlist->save();
and the actual content of the message comes from a form input and gets fetched over here:
$message = nl2br(htmlspecialchars((string) $this->getRequest()->getPost('message')));
there is no actual styling or css assigned to it. In fact most of styles are defined inline in email templates

Cannot load default values in input fields using FormHelper in cakephp 3.x

I'm facing a very wierd situation concerning a quite simple task.
I'm trying to create a very simple edit form in my application using
cakephp 3.x version.
In my ContentsController::edit($contentID) method I'm loading the content entity to be edited like this
$content = $this->Contents->findById($contentID)->first()
and then I'm simply creating the respective view variable using set() method like that:
$this->set('content', $content);
In the view file - named edit.ctp - all I'm doing is to simply create
a new form using FormHelper using the following piece of code:
<h2><?= __('Edit content: ') . $content->title; ?></h2>
<?php
echo $this->Form->create($content);
echo $this->Form->input('title', ['type' => 'text']);
echo $this->Form->input('alias', ['type' => 'text']);
echo $this->Form->input('body', ['type' => 'textarea']);
echo $this->Form->submit();
?>
The following code creates the form correctly but it does not load the default values in each input element from the $content entity. After doing some digging into the source code of the FormHelper I found out that when the FormHelper::create() method is called, it correctly loads the EntityContext interface using the $content entity. But for some reason, which I cannot explain, in each of the FormHelper::input() calls, internally the context interface is switching to NullContext so no data is loaded into the field.
Does anyone have an idea what am I doing wrong with that piece of code?
After some more digging I found the real cause of the issue.
FormHelper works correctly and so does my query.
The issue has to do with the view file and how it is rendered.
The whole picture is this.
My view (edit.ctp) was an extension of a common skeleton I created, namely edit_frm.ctp. So in my view file I was extending by calling $this->extend('/Common/edit_frm');
The structure of the edit_frm.ctp consists of three blocks, as shown below (I removed the html markup)
<?php
// Common/edit_frm.ctp
$this->fetch('formStart');
$this->fetch('formPrimaryOptions');
$this->fetch('formSecondaryOptions');
$this->fetch('formEnd');
?>
Now in my view file (edit.ctp) I was creating the blocks like that:
<?php
// Contents/edit.ctp
$this->extend('Common/edit_frm');
// The "formStart" block contains the opening of the form
$this->start('formStart');
echo $this->Form->create($content);
$this->end('formStart');
// The "formEnd" block contains the submit button and the form closing tag
$this->start('formEnd');
echo $this->Form->submit();
echo $this->Form->end();
$this->end('formEnd');
// "formPrimaryOptions" contains the main input fields
$this->start('formPrimaryOptions');
echo $this->Form->input('title', ['type' => 'text']);
echo $this->Form->input('alias', ['type' => 'text']);
echo $this->Form->input('body', ['type' => 'textarea']);
$this->end('formPrimaryOptions');
?>
As you see in my view file, I was building the formEnd block before the construction of the formPrimaryOptions block. Though in my skeleton the blocks are fetched in a different order.
Apparently in CakePHP when you extend a view combined with blocks of content in the actual view file you must create your blocks in the same order as they are fetched, otherwise you end up in weird situations like the one I was facing.
In any case, I had a very good lesson today!!
Maybe you can do this instead of findById:
$content = $this->Contents->find('all')->where(['id' => $contentID])->first();

Google recaptcha validation in yii2 always fails

I use himiklab/yii2-recaptcha-widget. I always get a validation error when I submit the form.
{"captcha":["The verification code is incorrect."]}.
Form:
$form->field($model, 'captcha',['template' => "{input}\n{hint}\n{error}"])->widget(
\himiklab\yii2\recaptcha\ReCaptcha::className(),
[
'siteKey' => <mysitekey>,
'widgetOptions' => ['id'=>'recaptcha1']
])
Controller:
if(isset($_POST['Contact'])){
if ($model->load(Yii::$app->request->post()) && $model->save()) {
What am I doing wrong?
The problem is that Yii always run validation twice, on validation() method and during the save executes again the validation, this cause that the first validation is successful however the second returns an error.
So, for the second case you will need to save without running the validations, which save(false).
The second chance might be to unhook the validation of the captcha just before the safe() method.

How to use Url::remember in yii2

I want to create a link on my error page to take user back to the previous link.
Suppose the current URL is http://example.com/site/product, and a user try to view
http://example.com/site/product?id=100 and a product with id =100 does not exit, the system should throw 404 error to the error page, now if i want to create a link to take the user back to http://example.com/site/product the previous URl how do I make this work. i can make this work by hardcoding this in my error views file, but i want it dynamically as i have many controller an action using the same view file.
I try this in my site conteoller
controller/site
public function actions()
{
$url = Url::remember();
return [
'error' => [
'class' => 'yii\web\ErrorAction',
],
$this->render('error',['url'=>$url]),
];
}
and try to get the value the in error view file like this
/views/site/error.php
<p>
<?= Html::a('go back', [$url)?>
</p>
but it has no vaule..
please any good idea on how to make this work, am also open to new solution
this is form Yii2 Guide http://www.yiiframework.com/doc-2.0/guide-helper-url.html#remember-urls
There are cases when you need to remember URL and afterwards use it
during processing of the one of sequential requests. It can be
achieved in the following way:
// Remember current URL Url::remember();
// Remember URL specified. See Url::to() for argument format.
Url::remember(['product/view', 'id' => 42]);
// Remember URL specified with a name given
Url::remember(['product/view', 'id' => 42], 'product');
In the next
request we can get URL remembered in the following way:
$url = Url::previous();
// or
$productUrl = Url::previous('product');

yii2 hidden input value

In Yii2 I'm trying to construct hidden input
echo $form->field($model, 'hidden1')->hiddenInput()->label(false);
But I also need it to have some value option, how can I do that ?
Use the following:
echo $form->field($model, 'hidden1')->hiddenInput(['value'=> $value])->label(false);
Changing the value here doesn't make sense, because it's active field. It means value will be synchronized with the model value.
Just change the value of $model->hidden1 to change it. Or it will be changed after receiving data from user after submitting form.
With using non-active hidden input it will be like that:
use yii\helpers\Html;
...
echo Html::hiddenInput('name', $value);
But the latter is more suitable for using outside of model.
simple you can write:
<?= $form->field($model, 'hidden1')->hiddenInput(['value'=>'abc value'])->label(false); ?>
You can do it with the options
echo $form->field($model, 'hidden1',
['options' => ['value'=> 'your value'] ])->hiddenInput()->label(false);
you can also do this
$model->hidden1 = 'your value';// better put it on controller
$form->field($model, 'hidden1')->hiddenInput()->label(false);
this is a better option if you set value on controller
$model = new SomeModelName();
if ($model->load(Yii::$app->request->post()) && $model->save()) {
return $this->redirect(['view', 'id' => $model->group_id]);
} else {
$model->hidden1 = 'your value';
return $this->render('create', [
'model' => $model,
]);
}
Like This:
<?= $form->field($model, 'hidden')->hiddenInput(['class' => 'form-control', 'maxlength' => true,])->label(false) ?>
You can use this code line in view(form)
<?= $form->field($model, 'hidden1')->hiddenInput(['value'=>'your_value'])->label(false) ?>
Please refere this as example
If your need to pass currant date and time as hidden input :
Model attribute is 'created_on' and its value is retrieve from date('Y-m-d H:i:s') ,
just like:"2020-03-10 09:00:00"
<?= $form->field($model, 'created_on')->hiddenInput(['value'=>date('Y-m-d H:i:s')])->label(false) ?>
<?= $form->field($model, 'hidden_Input')->hiddenInput(['id'=>'hidden_Input','class'=>'form-control','value'=>$token_name])->label(false)?>
or
<input type="hidden" name="test" value="1" />
Use This.
You see, the main question while using hidden input is what kind of data you want to pass?
I will assume that you are trying to pass the user ID.
Which is not a really good idea to pass it here because field() method will generate input
and the value will be shown to user as we can't hide html from the users browser. This if you really care about security of your website.
please check this link, and you will see that it's impossible to hide value attribute from users to see.
so what to do then?
See, this is the core of OOP in PHP.
and I quote from Matt Zandstr in his great book PHP Objects, Patterns, and Practice fifth edition
I am still stuck with a great deal of unwanted flexibility, though. I rely on the client coder to change a ShopProduct object’s properties from their default values. This is problematic in two ways. First, it takes five lines to properly initialize a ShopProduct object, and no coder will thank you for that. Second, I have no way of ensuring that any of the properties are set when a ShopProduct object is initialized. What I need is a method that is called automatically when an object is instantiated from a class.
Please check this example of using __construct() method which is mentioned in his book too.
class ShopProduct {
public $title;
public $producerMainName;
public $producerFirstName;
public $price = 0;
public function __construct($title,$firstName,$mainName,$price) {
$this->title = $title;
$this->producerFirstName = $firstName;
$this->producerMainName = $mainName;
$this->price = $price;
}
}
And you can simply do this magic.
$product1 = new ShopProduct("My Antonia","Willa","Cather",5.99 );
print "author: {$product1->getProducer()}\n";
This produces the following:
author: Willa Cather
In your case it will be something semilar to this, every time you create an object just pass the user ID to the user_id property, and save yourself a lot of coding.
Class Car {
private $user_id;
//.. your properties
public function __construct($title,$firstName,$mainName,$price){
$this->user_id = \Yii::$app->user->id;
//..Your magic
}
}
I know it is old post but sometimes HTML is ok :
<input id="model-field" name="Model[field]" type="hidden" value="<?= $model->field ?>">
Please take care
id : lower caps with a - and not a _
name : 1st letter in caps