CakePHP form tampering

Question

I have a problem with a form I made in CakePHP 2.

The form submition was working fine, but then I changed it and now I'm submiting some other stuff too. I also made it so that the user can pick the number of "Services" he is going to submit.

Now the form only submits when there is exactley 1 "Service". I presume that te problem resides with the "form-tampering" protection. Since I want the user to "tamper" with the form, how can I disable this protection?

My beforeFilter looks like this:

parent::beforeFilter();

    $this->Auth->allow('register_new');

    // Security component
    if (isset($this->Security) &&
        $this->RequestHandler->isAjax() &&
        ($this->action == 'statistics'))
    {
        // $this->Security->validatePost = false;
        $this->Security->csrfCheck = false;
    }

    if (isset($this->Security) &&
        $this->RequestHandler->isAjax() &&
        ($this->action == 'markPaid'))
    {
        $this->Security->validatePost = false;
        $this->Security->csrfCheck = false;
    }

The 'action' in question (the one that doesn't get any data) is "register_new".

Answer 1

The code

$this->Auth->allow('register_new');

makes register_new accessible without authentication, but it does not disable form tampering protection.

if($this->request->params['action'] == 'register_new')
{
    $this->Security->validatePost = false;
}

Alternatively, you could also disable POST validation on some fields only by using

$this->Security->unlockedFields = array('field_1', ...);

with the advantage of keeping validation on the other ones.

See http://book.cakephp.org/2.0/en/core-libraries/components/security-component.html#form-tampering-prevention