Vesthelm Engine

2.1.1 User Guide

Security Class

The Security class provides security functions.

Calling the Security Class

$Security = $this->Security;

Getting IP Address

$ip = $this->Security->getIP();

echo $ip; //Outputs for example: 127.0.0.0

Generating Token String

$token = $this->Security->newToken();

echo $token; //Outputs random 32 character string: 32e3c0c378b494e159133cff888cd279

Limiting string length:

$token = $this->Security->newToken(16);

echo $token; //Outputs random 16 character string: 32e3c0c378b494e1

Cross Site Request Forgery Protection

Adding to template:

<div id="bulletin-form-bulletin_board">{createTokenField name="bulletin-form-bulletin_board" num="1"}</div>

//createTokenField() outputs:
//<input type="hidden" name="bulletin-form-bulletin_board-1" value="43ab6975ed85032921a0f682aff98897" />

Using ExtJS: Ext.Ajax.request to submit or validate your forms:

Ext.Ajax.request({
    url: 'http://www.example.com/bulletin-board/bulletin/',
    method: 'POST',
    params: {
        token: token('bulletin-form-bulletin_board', 1),
        action: 'add'
    }
});

token() function will find token from template by id: bulletin-form-bulletin_board

By default you have to always specify token fields in forms because Vesthelm Engine checks token by function: $this->Security->verifyToken() before any action.

To manually check token if you are not using Vesthelm controller:

$params = array(
    'enhancement' => 'bulletin_board',
    'file' => 'bulletin',
    'action' => 'add'
);

$wrong = $this->Security->checkToken($params); //if token correct outputs: false

To exclude controller/action from checking token value:

$this->Security->addExcludedFile(
    'bulletin', //controller
    'bulletin_board', //enhancement
    'add' //action
);

Add to Bootstrap.php file or create new in `{site}/applications/{your_application}/includes/Bootstrap.php`

defined('VESTHELM') or die('Powered by <a href="http://www.vesthelm.com/">Vesthelm EE</a>');

class Bulletin_Board_Bootstrap extends VM {

    public function execute() {
        $this->Security->addExcludedFile(
            'bulletin', //controller
            'bulletin_board', //enhancement
            'add' //action
        );
    }

}