How do I disable $ _accessible admin protection in CakePHP 3?
I tried to do this for quite some time and now I am gone. CakePHP 3 protects against the mass appropriation vulnerability by setting the $ _accessible Entity variable. This is useful for hackers, but it is also very annoying when you create an admin panel. My question is how to disable this protection for all controllers with the = "admin" prefix and keep them for others?
- This cannot be done in the beforeSave model because it runs too late.
- I also tried to create a Behavior, but it cannot touch the Entity where everything is happening.
- The closest one is the overwrite method newEntity () in the model, but this way I have to do it in each individual model, which is not a very pretty solution.
- I know this can be done in a controller action where I save the data, but I write it down for every admin action ... Well, there must be a better way.
source to share
Use protection false
This book solution is to use a security setting eg.
$article->set($properties, ['guard' => false]);
Also applies to the creation of new objects .
Adding a ['guard' => false]
controller to the appropriate code shouldn't be that hard, more or less finding and replacing, and less likely to cause problems in the future (accidentally disabling protection for non-administrator actions).
beforeMarshal
Alternatively, you can use beforeMarshal to change the input options guard => false
. Since you want this to be "all admin functions", the best way to do this is to register an anonymous event listener for admin functions using the global event manager according to:
// Some controller
use Cake\Event\EventManager;
public function beforeFilter()
{
EventManager::instance()->on(
'Model.beforeMarshal',
function ($event, $data, $options) {
$options['guard'] = false;
}
);
}
source to share