Class FormProtectionComponent

Protects against form tampering. It ensures that:

  • Form's action (URL) is not modified.
  • Unknown / extra fields are not added to the form.
  • Existing fields have not been removed from the form.
  • Values of hidden inputs have not been changed.
Namespace: Cake\Controller\Component

Constants

  • string
    DEFAULT_EXCEPTION_MESSAGE 
    'Form tampering protection token validation failed.'

    Default message used for exceptions thrown.

Property Summary

  • $_componentMap protected
    array<string, array>

    A component lookup table used to lazy load component objects.

  • $_config protected
    array<string, mixed>

    Runtime config

  • $_configInitialized protected
    bool

    Whether the config property has already been configured with defaults

  • $_defaultConfig protected
    array<string, mixed>

    Default config

  • $_registry protected
    Cake\Controller\ComponentRegistry

    Component registry class used to lazy load components.

  • $components protected
    array

    Other Components this component uses.

Method Summary

Method Detail

__construct() public 

__construct(Cake\Controller\ComponentRegistry $registry, array<string, mixed> $config = [])

Constructor

Parameters

Cake\Controller\ComponentRegistry $registry

A component registry this component can use to lazy load its components.

array<string, mixed> $config optional

Array of configuration settings.

__debugInfo() public 

__debugInfo(): array<string, mixed>

Returns an array that can be used to describe the internal state of this object.

Returns

array<string, mixed>

__get() public 

__get(string $name): Cake\Controller\Component|null

Magic method for lazy loading $components.

Parameters

string $name

Name of component to get.

Returns

Cake\Controller\Component|null

_configDelete() protected 

_configDelete(string $key): void

Deletes a single config key.

Parameters

string $key

Key to delete.

Returns

void

Throws

Cake\Core\Exception\CakeException
if attempting to clobber existing config

_configRead() protected 

_configRead(string|null $key): mixed

Reads a config key.

Parameters

string|null $key

Key to read.

Returns

mixed

_configWrite() protected 

_configWrite(array<string, mixed>|string $key, mixed $value, string|bool $merge = false): void

Writes a config key.

Parameters

array<string, mixed>|string $key

Key to write to.

mixed $value

Value to write.

string|bool $merge optional

True to merge recursively, 'shallow' for simple merge, false to overwrite, defaults to false.

Returns

void

Throws

Cake\Core\Exception\CakeException
if attempting to clobber existing config

configShallow() public 

configShallow(array<string, mixed>|string $key, mixed|null $value = null): $this

Merge provided config with existing config. Unlike config() which does a recursive merge for nested keys, this method does a simple merge.

Setting a specific value:

$this->configShallow('key', $value);

Setting a nested value:

$this->configShallow('some.nested.key', $value);

Updating multiple config settings at the same time:

$this->configShallow(['one' => 'value', 'another' => 'value']);

Parameters

array<string, mixed>|string $key

The key to set, or a complete array of configs.

mixed|null $value optional

The value to set.

Returns

$this

executeCallback() protected 

executeCallback(Closure $callback, Cake\Http\Exception\BadRequestException $exception): Cake\Http\Response|null

Execute callback.

Parameters

Closure $callback

A valid callable

Cake\Http\Exception\BadRequestException $exception

Exception instance.

Returns

Cake\Http\Response|null

getConfig() public 

getConfig(string|null $key = null, mixed $default = null): mixed

Returns the config.

Usage

Reading the whole config:

$this->getConfig();

Reading a specific value:

$this->getConfig('key');

Reading a nested value:

$this->getConfig('some.nested.key');

Reading with default value:

$this->getConfig('some-key', 'default-value');

Parameters

string|null $key optional

The key to get or null for the whole config.

mixed $default optional

The return value when the key does not exist.

Returns

mixed

getConfigOrFail() public 

getConfigOrFail(string $key): mixed

Returns the config for this specific key.

The config value for this key must exist, it can never be null.

Parameters

string $key

The key to get.

Returns

mixed

Throws

InvalidArgumentException

getController() public 

getController(): Cake\Controller\Controller

Get the controller this component is bound to.

Returns

Cake\Controller\Controller

implementedEvents() public 

implementedEvents(): array<string, mixed>

Events supported by this component.

Uses Conventions to map controller events to standard component callback method names. By defining one of the callback methods a component is assumed to be interested in the related event.

Override this method if you need to add non-conventional event listeners. Or if you want components to listen to non-standard events.

Returns

array<string, mixed>

initialize() public 

initialize(array<string, mixed> $config): void

Constructor hook method.

Implement this method to avoid having to overwrite the constructor and call parent.

Parameters

array<string, mixed> $config

The configuration settings provided to this component.

Returns

void

log() public 

log(string $message, string|int $level = LogLevel::ERROR, array|string $context = []): bool

Convenience method to write a message to Log. See Log::write() for more information on writing to logs.

Parameters

string $message

Log message.

string|int $level optional

Error level.

array|string $context optional

Additional log data relevant to this message.

Returns

bool

setConfig() public 

setConfig(array<string, mixed>|string $key, mixed|null $value = null, bool $merge = true): $this

Sets the config.

Usage

Setting a specific value:

$this->setConfig('key', $value);

Setting a nested value:

$this->setConfig('some.nested.key', $value);

Updating multiple config settings at the same time:

$this->setConfig(['one' => 'value', 'another' => 'value']);

Parameters

array<string, mixed>|string $key

The key to set, or a complete array of configs.

mixed|null $value optional

The value to set.

bool $merge optional

Whether to recursively merge or overwrite existing config, defaults to true.

Returns

$this

Throws

Cake\Core\Exception\CakeException
When trying to set a key that is invalid.

startup() public 

startup(Cake\Event\EventInterface $event): Cake\Http\Response|null

Component startup.

Token check happens here.

Parameters

Cake\Event\EventInterface $event

An Event instance

Returns

Cake\Http\Response|null

validationFailure() protected 

validationFailure(Cake\Form\FormProtector $formProtector): Cake\Http\Response|null

Throws a 400 - Bad request exception or calls custom callback.

If validationFailureCallback config is specified, it will use this callback by executing the method passing the argument as exception.

Parameters

Cake\Form\FormProtector $formProtector

Form Protector instance.

Returns

Cake\Http\Response|null

Throws

Cake\Http\Exception\BadRequestException

Property Detail

$_componentMap protected

A component lookup table used to lazy load component objects.

Type

array<string, array>

$_config protected

Runtime config

Type

array<string, mixed>

$_configInitialized protected

Whether the config property has already been configured with defaults

Type

bool

$_defaultConfig protected

Default config

  • validate - Whether to validate request body / data. Set to false to disable for data coming from 3rd party services, etc.
  • unlockedFields - Form fields to exclude from validation. Fields can be unlocked either in the Component, or with FormHelper::unlockField(). Fields that have been unlocked are not required to be part of the POST and hidden unlocked fields do not have their values checked.
  • unlockedActions - Actions to exclude from POST validation checks.
  • validationFailureCallback - Callback to call in case of validation failure. Must be a valid Closure. Unset by default in which case exception is thrown on validation failure.

Type

array<string, mixed>

$_registry protected

Component registry class used to lazy load components.

Type

Cake\Controller\ComponentRegistry

$components protected

Other Components this component uses.

Type

array

© 2005–present The Cake Software Foundation, Inc.
Licensed under the MIT License.
CakePHP is a registered trademark of Cake Software Foundation, Inc.
We are not endorsed by or affiliated with CakePHP.
https://api.cakephp.org/4.4/class-Cake.Controller.Component.FormProtectionComponent.html