Something I should have known about Security->disabledFields

Altering values of hidden fields, and dinamically altering forms (adding / changing / removing fields) using javascript and ajax, is a common task in today’s web development.

Cakephp’s Security component is evry useful for protecting our applications from some Cross Site Request Forgery – amd stopping malicious users froma altering our forms fields and hidden values. If the fields or hidden values are changed after the rendering of the form, the request is blackHoled. The browser displays a blank page (the “white screen of oblivion?”).

Of course, our legitimate form altering javascript may be confused with a maliscious users, and that’s why cakephp’s Security component provides a disabledFields property – used to tell the fields that should be ignored, because our application itself can add / remove / change them.

All this is clearly documented in the book.

So, what’s the problem? A less known detail may save you some time. I had -as an example- this “Event” form with the option for the user to

1)  select the Organization (main organizer) from an existing list;

2) add a new Organization and the needed details (and relate it to the submitted event on success).

(the same for the Place and other related models)

The form was manipulated through javascript (jQuery). So, I added
$this->Security->disabledFields = array(‘Event.organization_id’, ‘Organization.name’, ‘Organization.email’,[..]);
in my EventController’s beforeFilter method.

But the request was blackHoled, no matter what i did.

You might have already noticed the catch: the “ignored” fields are from different models -Event is the current controller’s Model, the others are related to Event.

Just moving the above line to AppController fixed the issue.
(Maybe adding the required models through EventController’s $uses property would work -I did not try, and its not optimal)

That’s all, if you get an unexpected Security component black hole, check the ingnored fields array first.