very insecure way ... you have to read the user_id from the database for the comment he wants to edit there is so other secure way
On 2 Mrz., 19:18, brian <[email protected]> wrote: > On Mon, Mar 2, 2009 at 11:01 AM, Dolbex <[email protected]> wrote: > > > Hello fellow bakers! > > > I have looked around for a while trying to find a 'best practice' on > > securing edits of a hasMany relation. Simple example: > > > User -> hasMany -> Comments > > > If I want to allow a user to edit only his/her comments is their a > > good way without having to re-read the record they are editing to > > compare userid's? > > You can do this on the initial request. > > $this->data = $this->Comment->read(null, $id); > > if ($this->data['Comment']['user_id'] != $this->Session->read('User.id')) > { > $this->flash(...) > > Store the user_id as a hidden form element. If you're using the > SecurityComponent then it will be difficult to change that. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~----------~----~----~----~------~----~------~--~---
