how to use with security component

ali3nado / CakePHP-JqueryFileUpload-Plugin

The JqueryFileUpload Plugin provides an easy-to-use feature jQuery-File-Upload in CakePHP2.x

7 stars 9 forks source link

how to use with security component #4

Open davo3 opened 11 years ago

davo3 commented 11 years ago

Thanks for the code it works great, Only is there a way to make it work with Security component ? Because it detects blackholing and it is expectable, because the upload form inputs are not being created by $this->Form->input. I know that I can just add the uploading action to Security component's unlockedActions array, thus, bypassing the blackholing, but in fact, I need high level security and it would be better make it work with security enabled. Thanks

ali3nado commented 11 years ago

Hello, first thanks for using our plugin. You want to set permission levels. For example define who may or may not upload files? Sorry my English!

davo3 commented 11 years ago

Hello, Thanks for the response, no, about user permissions I have no problem, I can handle that. I am using security component, http://book.cakephp.org/2.0/en/core-libraries/components/security-component.html for preventing any possible XSS, CSRF and Form-tempering attacks: and for each form a unique security token is being created containing info about the form and its input fields(all the fields should be created by Form Helper, otherwise it will not work), which is being saved in session and checked after form submit. Without using Security component (or if I add upload action to unlocked actions list ) the plugin works great, but with security enabled it detects blackholing case. Thanks!

ali3nado commented 11 years ago

Hum, I understand. We can create a helper to try to resolve this. Rendering with $ this->Form templates instead of js.

davo3 commented 11 years ago

I guess, I understood why it does not work, but not sure how it will be possible to handle that. As I said, the security component creates hidden fields with tokens data[_Token][fields] and data[_Token][key] and they are being submitted with the form submit, when I analyze with firebug, in case of other post requests I can see that these 2 values are being send as variables, but in case of image upload there is only a plain text like

POST -----------------------------3491846415760 Content-Disposition: form-data; name="data[_Token][key]" de2b847cc31fce7696a cf892a7efa5e6e21a2450

-----------------------------3491846415760 Content-Disposition: form-data; name="data[_Token][fields]"

So, in order to work with security component, somehow we should send those 2 fields as with usual post request. Thanks