Think twice about what's actually going on in that code...

If no $id or $secretid were supplied, you redirect somewhere else.
If $this->data is not empty... doesn't matter.
Then, last case that always gets triggered if there's ANY $id or  
$secretid, you fetch the data from the DB and present it to the user.

There's no validation of the $secretid going on whatsoever, how do you  
expect it to work?

On 16 Oct 2008, at 14:36, Cody Sortore wrote:

>
> Okay, with the particular site I'm building a log in system isn't
> necessary, and people don't want it.  The problem is that I want to
> allow the creator editing access still. People make mistakes, or may
> need to delete spam comments occasionally.
>
> What I was thinking was to have a place when creating their page they
> put in a "secret id" that then goes into the database and what I want
> to do is so that the only way to access the edit page is to have that
> secret id in the url for example:
>
> http://www.testsite.com/inventory/edit/secretid/1/
>
> I've actually got that working with this code:
>
> http://bin.cakephp.org/view/1344979601
>
> and a view that has a hidden field for the secret id.  Problem is with
> what I have anything in place of the secret id allows you to edit.
> Examples:
>
> http://www.testsite.com/inventory/edit/12345/1/
> http://www.testsite.com/inventory/edit/iamahaxor/1/
> http://www.testsite.com/inventory/edit/1/1/
>
> will all allow you to edit inventory item number 1.
>
> Another annoyance I've noticed is that if you have an inventory number
> higher than what the table goes up to.  Say with this one in test runs
> I've only got 3 inventory items to work with right now.  If I put:
>
> http://www.testsite.com/inventory/edit/secretid/1337/
>
> it simply adds another inventory item to the list... this like I said
> is only a minor nuisance and can be ignored, the important part is the
> data validation (which may be fix this trouble too).
> >


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups 
"CakePHP" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at 
http://groups.google.com/group/cake-php?hl=en
-~----------~----~----~----~------~----~------~--~---

Reply via email to