public static function check($data)
{
if (is_object($data) && isset($data->data)) {
$data = $data->data;
}
if (!isset($data['security']['signature'])) {
throw new Exception('Unable to check form signature. Cannot find signature in data.');
}
$signature = $data['security']['signature'];
unset($data['security']);
$parsed = static::_parse($signature);
$data = Set::flatten($data);
if (array_intersect_assoc($data, $parsed['locked']) != $parsed['locked']) {
return false;
}
$fields = array_diff(array_keys($data), array_keys($parsed['locked']), $parsed['excluded']);
return $signature === static::_compile($fields, $parsed['locked'], $parsed['excluded']);
}
/** * Tests that `FormSignature` correctly ignores other fields in the `'security'` array when * generating signatures. */ public function testIgnoreSecurityFields() { $components = array('a%3A1%3A%7Bs%3A6%3A%22active%22%3Bs%3A4%3A%22true%22%3B%7D', 'a%3A0%3A%7B%7D', '$2a$10$NuNTOeXv4OHpPJtbdAmfReFiSmFw5hmc6sSy8qwns6/DWNSSOjR1y'); $signature = join('::', $components); $request = new Request(array('data' => array('email' => 'foo@baz', 'pass' => 'whatever', 'active' => 'true', 'security' => compact('signature') + array('foo' => 'bar')))); $this->assertTrue(FormSignature::check($request)); }