I have a form that represents a RewardModifier table in our database. That RewardModifier hasMany RewardOption.
My form is structured like this (image):
So, the RewardModifier can have many elements on the page, each with many RewardOption items.
The Problem
The problem is, that users can delete sections of this form using Javascript, which essentially removes it from the DOM. When they do that, it breaks the security component, because the POST'ed fields do not match the token supplied when the page was generated.
Now, I have been using unlockedFields to handle this before:
$this->Security->disabledFields = array(
'PrjRewardModifier.reward_id',
'PrjRewardModifier.title',
'PrjRewardModifier.option_type',
'PrjRewardOption.description',
'PrjRewardOption.modifier',
'PrjRewardOption.amount'
);
I know that disabledFields is deprecated, but we are using that for the time being.
When I debug the posted form data in the SecurityComponent, I see the following:
(int) 8 => 'PrjRewardModifier.0.reward_id',
(int) 9 => 'PrjRewardModifier.0.title',
(int) 10 => 'PrjRewardModifier.0.option_type',
(int) 11 => 'PrjRewardModifier.0.PrjRewardOption.0.description',
(int) 12 => 'PrjRewardModifier.0.PrjRewardOption.0.modifier',
(int) 13 => 'PrjRewardModifier.0.PrjRewardOption.0.amount'
I need to know how to edit the data being passed to unlockedFields so that it can disregard these fields that are keyed for hasMany relationships.
Thanks.
I had a similar problem. I found adding (the equivalent of) this to the RewardModifier controller did the trick:
public function beforeFilter(){
$this->Security->unlockedFields = array('RewardOption');
}
Adding the following to the form code worked for me
$this->Form->unlockField('User.id');
Unlocking the fields from within the view files also helps declutter the controller's beforeFilter().
Source: /core-libraries/helpers/form.html#FormHelper::unlockField
来源:https://stackoverflow.com/questions/15938555/how-to-unlock-a-field-in-a-cakephp-form-when-it-is-part-of-a-hasmany-associati