开发者

cakephp avoid logged in users to access other user's account

问答 作者:

I'm developing a web with CakePHP 1.3.7. Everything is going fine and I love it, but I just came accross a problem (probably because of my lack of knowledge) that I can't figure out how to fix.

This is my problem:

In the website, there's the typical 'manage my account' area, where users can only access when they're logged in. In this area, there's a link that calls to an action in the same 'users' controller called 'edit_items'. So when a user goes to edit_items, the action receives as a parameter the user's id (something like domain.com/users/edit_items/45, where 45 is the user's id), and shows the information in a form. The problem comes if I go directly to the address bar of the browser and change that 45 for any other user's Id, then the information of that other user is also shown, even if that user is not logged in. This is obviously a big security issue.

I've been trying to avoid passing the user's id as a parameter and getting it from the Auth component (which I'm using) with $this->Auth->User('id'). For whatever reason, I can read the logged user's info into the form fine, but when I try to save the changes on the form, I get an error as if the save action had failed, and I have no clue why.

Is there any other way to avoid my problem? Or to figure out why the save is returning an error?

Thanks!

EDIT

SO the problem comes from the validation, here's the deal: when the user fills out the form to create a new item, there are certain fields, some of them with validation rules applied. However, when the user goes back to edit the item, not all the fields are editable, only some. Is it possible that, since s开发者_C百科ome fields that required validation when creating the item are not available when editing, that causes the error? How can avoid that? Can I change the validation rules only for the edit action?

Example of what's happening: when creating an item,one of the fields is item_name, which has some validation applied to it. When editing the item, its name can not be changed, so it's not shown in the edit form. I believe this what may be causing the error, maybe because the item_name is missing?

You are turned on the right direction - passing user_id on the url is a bad idea when the users need to edit their own details.

You can use following: when saving your form before the actual save you can pass the user_id to the posted data. Something like this:

if (!empty($this->data)) {
   $this->data['User']['id'] = $this->Auth->user('id');
   ... //Some extra stuff
   if ($this->User->save($this->data)) {
      ... //success
   } else {
      ... //error
   }
}

This way the logged user will override it's own record always. Check if you have some validation rules in your model which give you this error.

继续阅读:authenticationcakephpsave

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9