Think twice about what's actually going on in that code... If no $id or $secretid were supplied, you redirect somewhere else. If $this->data is not empty... doesn't matter. Then, last case that always gets triggered if there's ANY $id or $secretid, you fetch the data from the DB and present it to the user.
There's no validation of the $secretid going on whatsoever, how do you expect it to work? On 16 Oct 2008, at 14:36, Cody Sortore wrote: > > Okay, with the particular site I'm building a log in system isn't > necessary, and people don't want it. The problem is that I want to > allow the creator editing access still. People make mistakes, or may > need to delete spam comments occasionally. > > What I was thinking was to have a place when creating their page they > put in a "secret id" that then goes into the database and what I want > to do is so that the only way to access the edit page is to have that > secret id in the url for example: > > http://www.testsite.com/inventory/edit/secretid/1/ > > I've actually got that working with this code: > > http://bin.cakephp.org/view/1344979601 > > and a view that has a hidden field for the secret id. Problem is with > what I have anything in place of the secret id allows you to edit. > Examples: > > http://www.testsite.com/inventory/edit/12345/1/ > http://www.testsite.com/inventory/edit/iamahaxor/1/ > http://www.testsite.com/inventory/edit/1/1/ > > will all allow you to edit inventory item number 1. > > Another annoyance I've noticed is that if you have an inventory number > higher than what the table goes up to. Say with this one in test runs > I've only got 3 inventory items to work with right now. If I put: > > http://www.testsite.com/inventory/edit/secretid/1337/ > > it simply adds another inventory item to the list... this like I said > is only a minor nuisance and can be ignored, the important part is the > data validation (which may be fix this trouble too). > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~----------~----~----~----~------~----~------~--~---
