I’ve run into a problem in my CakePHP app as a result of adding some ajax actions.

My table is called orders so obviously my controller is called OrdersController and the model is called Order

It is my understanding of CakePHP’s best practices that if I am going to run any logic on the Order model, that it should be done in the OrdersController. This is fine for the basic CRUD stuff but now that some of my views need to send ajax requests to manipulate Order data I have a problem.

The problem is that for ajax to work properly, I have to put this at the beginning of the OrdersController

var $layout = 'ajax';  // uses an empty layout
var $autoRender=false; // renders nothing by default

Then, to stop the security component interfering with my Ajax form submissions, I also need this:

public function beforeFilter() {
    parent::beforeFilter();
    $this->Security->csrfUseOnce = false;
    $this->Security->csrfExpires = '+1 hour';
}

None of this would be a problem if the controller was only being used for Ajax requests, but the problem is that it’s being used for regular Cake actions too.

Is the answer that I should have two controllers? One for regular actions and one for ajax actions? This doesn’t seem to be mentioned in the Cake docs and it doesn’t seem like a very efficient way of doing things.

I know I can change the layout and possibly the auto-render setting on a per-action basis, but I don’t see how it’s possible to do this with the csrf settings, which need to be in the beforeFilter.