CakePHP 1.26：“安全”中的错误成分？

发布于 2024-08-28 14:07:49 字数 1564 浏览 8 评论 0原文

对于那些可能之前读过这篇文章的人，我做了一些研究并彻底修改了我的问题。我一直遇到一个问题，即我的表单请求被安全组件屏蔽，尽管禁用安全组件后一切正常。我已经将其追溯到表单中的一行：（

<?php echo $form->create('Audition');?>
    <fieldset>
        <legend><?php __('Edit Audition');?></legend>
    <?php
        echo $form->input('ensemble');
        echo $form->input('position');
        echo $form->input('aud_date');
        // The following line works fine...
       echo $form->input('owner');  
       // ...but the following line blackholes when Security included
        // and the form is submitted:
        // echo $form->input('owner', array('disabled'=>'disabled');
    ?>
    </fieldset>
<?php echo $form->end('Submit');?>

为了清楚起见，我已经注释掉了有问题的行）我认为我通过使用表单助手来遵循规则；据我所知，这是安全组件中的一个错误，但我是一名 CakePHP 新手，无法确定。我很想得到一些反馈，如果这是一个真正的错误，我会将其提交给 CakePHP 团队。我也很想知道我是否只是愚蠢并且错过了一些明显的东西。

（很抱歉在这里发表评论，但我在评论中没有足够的空间来容纳它们）

更新：谢谢杰什，你说得100%正确——“输入值不会被提交当它被禁用时”。我什至在官方 HTML 规范，其中显示“[禁用元素]无法接收用户输入，也不会随表单提交其值”。但是 Cake IS 通过表单提交了值！当我禁用安全组件时，我可以查看随表单提交的 POST 数据，果然，“所有者”字段已提交！不幸的是，这正是我想要的行为，但它似乎与官方 HTML 规范不一致......所以我认为这是标准表单助手的一个错误。我将将此作为错误报告给 CakePHP 团队，但我很乐意听到任何可以确认或反驳这一点的人的意见。

另外，杰什，你使用安全密钥并将其设置为 false 的想法非常有效，但我真的不想让这个字段不安全（事实上，我特别不想让这个字段不安全），而且它在我看来，我不应该这样做。事实上，现在我认为这也可能是安全组件中的一个错误；我使用 FormHelper 在这里创建我的表单 - 那么安全组件不应该能够处理这个问题吗？

@Miles：你的解决方案也很好用——谢谢！但它仍然没有解决我上面提出的同样的问题。

原文

For those of you who may have read this earlier, I've done a little research and completely revamped my question. I've been having a problem where my form requests get blackholed by the Security component, although everything works fine when the Security component is disabled. I've traced it down to a single line in a form:

<?php echo $form->create('Audition');?>
    <fieldset>
        <legend><?php __('Edit Audition');?></legend>
    <?php
        echo $form->input('ensemble');
        echo $form->input('position');
        echo $form->input('aud_date');
        // The following line works fine...
       echo $form->input('owner');  
       // ...but the following line blackholes when Security included
        // and the form is submitted:
        // echo $form->input('owner', array('disabled'=>'disabled');
    ?>
    </fieldset>
<?php echo $form->end('Submit');?>

(I've commented out the offending line for clarity) I think I'm following the rules by using the form helper; as far as I can tell, this is a bug in the Security component, but I'm too much of a CakePHP n00b to know for sure. I'd love to get some feedback, and if it's a real bug, I'll submit it to the CakePHP team. I'd also love to know if I'm just being dumb and missing something obvious here.

(sorry to address comments here, but I didn't have enough space for them in comments)

UPDATE: Thanks Jesh, you're 100% right about that -- "an input value will not be submitted when it is disabled". I even looked it up on the official HTML spec, where it says, "[A disabled element] cannot receive user input nor will its value be submitted with the form". But Cake IS submitting the value with the form! When I disable using the Security Component, I can look at the POST data being submitted with the form, and sure enough, the 'owner' field has been submitted! Unfortunately, this is precisely the behavior I wanted, but it seems to be in disagreement with the official HTML spec...so I'm thinking that this is a bug with the standard form helper. I'll report this to the CakePHP team as a bug, but I'd love to hear from anyone who can confirm or refute this.

Also, Jesh, your idea to use the secure key and set it to false works great, but I really don't WANT to leave this field unsecured (in fact, I PARTICULARLY don't want to leave this field unsecured), and it seems to me that I shouldn't have to. In fact, now I'm thinking that this could ALSO be a bug in the Security component; I'm using the FormHelper to create my forms here -- so shouldn't the Security component be able to handle this??

@Miles: your solution works great too -- thanks! But it still leaves open the same questions I raised above.

分享到QQ

分享到微博