Merge pull request #5661 from kenjis/fix-docs-method-filter

docs: add warning about $method filters

Author: kenjis

app/Config/Filters.php

@@ -49,7 +49,11 @@ class Filters extends BaseConfig
      * particular HTTP method (GET, POST, etc.).
      *
      * Example:
-     * 'post' => ['csrf', 'throttle']
+     * 'post' => ['foo', 'bar']
+     *
+     * If you use this, you should disable auto-routing because auto-routing
+     * permits any HTTP method to access a controller. Accessing the controller
+     * with a method you don’t expect could bypass the filter.
      *
      * @var array
      */

user_guide_src/source/incoming/filters.rst

@@ -176,6 +176,10 @@ specify the method name in lowercase. It's value would be an array of filters to
 In addition to the standard HTTP methods, this also supports one special case: 'cli'. The 'cli' method would apply to
 all requests that were run from the command line.
 
+.. Warning:: If you use ``$methods`` filters, you should :ref:`disable auto-routing <use-defined-routes-only>`
+    because auto-routing permits any HTTP method to access a controller.
+    Accessing the controller with a method you don't expect could bypass the filter.
+
 $filters
 ========
 

user_guide_src/source/installation/upgrade_415.rst

@@ -53,6 +53,10 @@ If you want the same behavior as the previous version, set the CSRF filter like
 
 Protecting **GET** method needs only when you use ``form_open()`` auto-generation of CSRF field.
 
+.. Warning:: In general, if you use ``$methods`` filters, you should :ref:`disable auto-routing <use-defined-routes-only>`
+    because auto-routing permits any HTTP method to access a controller.
+    Accessing the controller with a method you don't expect could bypass the filter.
+
 CURLRequest header change
 -------------------------
 

user_guide_src/source/libraries/security.rst

@@ -129,6 +129,10 @@ It is also possible to enable the CSRF filter only for specific methods::
         'post' => ['csrf'],
     ];
 
+.. Warning:: If you use ``$methods`` filters, you should :ref:`disable auto-routing <use-defined-routes-only>`
+    because auto-routing permits any HTTP method to access a controller.
+    Accessing the controller with a method you don't expect could bypass the filter.
+
 HTML Forms
 ==========
 

user_guide_src/source/libraries/throttler.rst

@@ -117,9 +117,13 @@ filter::
 Next, we assign it to all POST requests made on the site::
 
     public $methods = [
-        'post' => ['throttle', 'csrf'],
+        'post' => ['throttle'],
     ];
 
+.. Warning:: If you use ``$methods`` filters, you should :ref:`disable auto-routing <use-defined-routes-only>`
+    because auto-routing permits any HTTP method to access a controller.
+    Accessing the controller with a method you don't expect could bypass the filter.
+
 And that's all there is to it. Now all POST requests made on the site will have to be rate limited.
 
 ***************

user_guide_src/source/tutorial/create_news_items.rst

@@ -20,6 +20,10 @@ Open the **app/Config/Filters.php** file and update the ``$methods`` property li
 It configures the CSRF filter to be enabled for all **POST** requests.
 You can read more about the CSRF protection in :doc:`Security </libraries/security>` library.
 
+.. Warning:: In general, if you use ``$methods`` filters, you should :ref:`disable auto-routing <use-defined-routes-only>`
+    because auto-routing permits any HTTP method to access a controller.
+    Accessing the controller with a method you don't expect could bypass the filter.
+
 Create a form
 -------------