📄 security.php
字号:
} else { return $this->__callback($controller, $this->blackHoleCallback, array($error)); } }/** * Sets the actions that require a $method HTTP request, or empty for all actions * * @param string $method The HTTP method to assign controller actions to * @param array $actions Controller actions to set the required HTTP method to. * @access private */ function __requireMethod($method, $actions = array()) { $this->{'require' . $method} = ife(empty($actions), array('*'), $actions); }/** * Check if HTTP methods are required * * @param object $controller Instantiating controller * @return bool true if $method is required * @access private */ function __methodsRequired(&$controller) { foreach (array('Post', 'Get', 'Put', 'Delete') as $method) { $property = 'require' . $method; if (is_array($this->$property) && !empty($this->$property)) { $require = array_map('strtolower', $this->$property); if (in_array($this->__action, $require) || $this->$property == array('*')) { if (!$this->RequestHandler->{'is' . $method}()) { if (!$this->blackHole($controller, strtolower($method))) { return null; } } } } } return true; }/** * Check if access requires secure connection * * @param object $controller Instantiating controller * @return bool true if secure connection required * @access private */ function __secureRequired(&$controller) { if (is_array($this->requireSecure) && !empty($this->requireSecure)) { $requireSecure = array_map('strtolower', $this->requireSecure); if (in_array($this->__action, $requireSecure) || $this->requireSecure == array('*')) { if (!$this->RequestHandler->isSSL()) { if (!$this->blackHole($controller, 'secure')) { return null; } } } } return true; }/** * Check if authentication is required * * @param object $controller Instantiating controller * @return bool true if authentication required * @access private */ function __authRequired(&$controller) { if (is_array($this->requireAuth) && !empty($this->requireAuth) && !empty($controller->data)) { $requireAuth = array_map('strtolower', $this->requireAuth); if (in_array($this->__action, $requireAuth) || $this->requireAuth == array('*')) { if (!isset($controller->data['__Token'] )) { if (!$this->blackHole($controller, 'auth')) { return null; } } if ($this->Session->check('_Token')) { $tData = unserialize($this->Session->read('_Token')); if (!empty($tData['allowedControllers']) && !in_array($controller->params['controller'], $tData['allowedControllers']) || !empty($tData['allowedActions']) && !in_array($controller->params['action'], $tData['allowedActions'])) { if (!$this->blackHole($controller, 'auth')) { return null; } } } else { if (!$this->blackHole($controller, 'auth')) { return null; } } } } return true; }/** * Check if login is required * * @param object $controller Instantiating controller * @return bool true if login is required * @access private */ function __loginRequired(&$controller) { if (is_array($this->requireLogin) && !empty($this->requireLogin)) { $requireLogin = array_map('strtolower', $this->requireLogin); if (in_array($this->__action, $requireLogin) || $this->requireLogin == array('*')) { $login = $this->loginCredentials($this->loginOptions['type']); if ($login == null) { // User hasn't been authenticated yet header($this->loginRequest()); if (!empty($this->loginOptions['prompt'])) { $this->__callback($controller, $this->loginOptions['prompt']); } else { $this->blackHole($controller, 'login'); } } else { if (isset($this->loginOptions['login'])) { $this->__callback($controller, $this->loginOptions['login'], array($login)); } else { if (strtolower($this->loginOptions['type']) == 'digest') { // Do digest authentication if ($login && isset($this->loginUsers[$login['username']])) { if ($login['response'] == $this->generateDigestResponseHash($login)) { return true; } } $this->blackHole($controller, 'login'); } else { if (!(in_array($login['username'], array_keys($this->loginUsers)) && $this->loginUsers[$login['username']] == $login['password'])) { $this->blackHole($controller, 'login'); } } } } } } return true; }/** * Validate submitted form * * @param object $controller Instantiating controller * @return bool true if submitted form is valid * @access private */ function __validatePost(&$controller) { if (!empty($controller->data)) { if (!isset($controller->data['__Token'])) { if (!$this->blackHole($controller, 'auth')) { return null; } } $token = $controller->data['__Token']['key']; if ($this->Session->check('_Token')) { $tData = unserialize($this->Session->read('_Token')); if ($tData['expires'] < time() || $tData['key'] !== $token) { if (!$this->blackHole($controller, 'auth')) { return null; } } } if (!isset($controller->data['__Token']['fields'])) { if (!$this->blackHole($controller, 'auth')) { return null; } } $form = $controller->data['__Token']['fields']; $check = $controller->data; unset($check['__Token']['fields']); if (!empty($this->disabledFields)) { foreach ($check as $model => $fields) { foreach ($fields as $field => $value) { $key[] = $model . '.' . $field; } unset($field); } foreach ($this->disabledFields as $value) { $parts = preg_split('/\/|\./', $value); if (count($parts) == 1) { $key1[] = $controller->modelClass . '.' . $parts['0']; } elseif (count($parts) == 2) { $key1[] = $parts['0'] . '.' . $parts['1']; } } foreach ($key1 as $value) { if (in_array($value, $key)) { $remove = explode('.', $value); unset($check[$remove['0']][$remove['1']]); } elseif (in_array('_' . $value, $key)) { $remove = explode('.', $value); $controller->data[$remove['0']][$remove['1']] = $controller->data['_' . $remove['0']][$remove['1']]; unset($check['_' . $remove['0']][$remove['1']]); } } } ksort($check); foreach ($check as $key => $value) { $merge = array(); if ($key === '__Token') { $field[$key] = $value; continue; } $string = substr($key, 0, 1); if ($string === '_') { $newKey = substr($key, 1); if (!isset($controller->data[$newKey])) { $controller->data[$newKey] = array(); if (array_keys($controller->data[$key]) === array($newKey)) { $field[$newKey] = array($newKey); } } if (is_array($value)) { $values = array_values($value); $k = array_keys($value); $count = count($k); if (is_numeric($k[0])) { for ($i = 0; $count > $i; $i++) { foreach ($values[$i] as $key2 => $value1) { if ($value1 === '0') { $field[$newKey][$i] = array_merge($field[$newKey][$i], array($key2)); } } } $controller->data[$newKey] = Set::pushDiff($controller->data[$key], $controller->data[$newKey]); } for ($i = 0; $count > $i; $i++) { $field[$key][$k[$i]] = $values[$i]; } foreach ($k as $lookup) { if (isset($controller->data[$newKey][$lookup])) { unset($controller->data[$key][$lookup]); } elseif ($controller->data[$key][$lookup] === '0') { $merge[] = $lookup; } } if (!is_numeric($k[0])) { if (isset($field[$newKey])) { $field[$newKey] = array_merge($merge, $field[$newKey]); } else { $field[$newKey] = $merge; } $controller->data[$newKey] = Set::pushDiff($controller->data[$key], $controller->data[$newKey]); } unset($controller->data[$key]); } continue; } if (is_array($value)) { $keys = array_keys($value); } else { $keys = $value; } if (isset($field[$key])) { $field[$key] = array_merge($field[$key], $keys); } elseif (is_array($keys) && !empty($keys) && is_numeric($keys[0])) { foreach ($value as $fields) { $merge[] = array_keys($fields); } $field[$key] = $merge; } else if (is_array($keys)) { $field[$key] = $keys; } else { $field[] = $key; } } foreach ($field as $key => $value) { if ($key[0] != '_' && is_array($field[$key])) { sort($field[$key]); } } ksort($field, SORT_STRING); $check = urlencode(Security::hash(serialize($field) . Configure::read('Security.salt'))); if ($form !== $check) { if (!$this->blackHole($controller, 'auth')) { return null; } } } return true; }/** * Add authentication key for new form posts * * @param object $controller Instantiating controller * @return bool Success * @access private */ function __generateToken(&$controller) { if (!isset($controller->params['requested']) || $controller->params['requested'] != 1) { $authKey = Security::generateAuthKey(); $expires = strtotime('+' . Security::inactiveMins() . ' minutes'); $token = array( 'key' => $authKey, 'expires' => $expires, 'allowedControllers' => $this->allowedControllers, 'allowedActions' => $this->allowedActions, 'disabledFields' => $this->disabledFields ); if (!isset($controller->data)) { $controller->data = array(); } if ($this->Session->check('_Token')) { $tData = unserialize($this->Session->read('_Token')); if (isset($tData['expires']) && $tData['expires'] > time() && isset($tData['key'])) { $token['key'] = $tData['key']; } } $controller->params['_Token'] = $token; $this->Session->write('_Token', serialize($token)); } return true; }/** * Sets the default login options for an HTTP-authenticated request * * @param array $options Default login options * @access private */ function __setLoginDefaults(&$options) { $options = array_merge(array( 'type' => 'basic', 'realm' => env('SERVER_NAME'), 'qop' => 'auth', 'nonce' => String::uuid() ), array_filter($options)); $options = array_merge(array('opaque' => md5($options['realm'])), $options); }/** * Calls a controller callback method * * @param object $controller Controller to run callback on * @param string $method Method to execute * @param array $params Parameters to send to method * @return mixed Controller callback method's response * @access private */ function __callback(&$controller, $method, $params = array()) { if (is_callable(array($controller, $method))) { return call_user_func_array(array(&$controller, $method), empty($params) ? null : $params); } else { // Debug::warning('Callback method ' . $method . ' in controller ' . get_class($controller) return null; } }}?>⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -