(Note: This is my first time using CakePHP).
I have a fairly simple user model, with validation along the lines of:
var $validate = array(
'username' => array(
'notEmpty' => array(
'rule' => 'notEmpty',
'message' => 'Your username is
required.',
),
'alphaNumeric' => array(
'rule' => 'alphaNumeric',
'message' => 'Your username can
only use letters and numbers.',
),
'between' => array(
'rule' => array('between', 5,
15),
'message' => 'Your username can
only be between 5 to 15
characters.',
),
'isUnique' => array(
'rule' => 'isUnique',
'message' => 'Your username is
already in use.',
),
),
'password' => array(
'minLength' => array(
'rule' => array('minLength', 4),
'message' => 'Your password
must be at least 4 characters
long.',
),
),
'repeat_password' => array(
'repeat' => array(
'rule' =>
array('checkRepeatPassword'),
'message' => 'Your repeated
password is not the same.',
),
),
'name_first' => array('notempty'),
'name_last' => array('notempty'),
);
And I have then been playing with the DOM inspector in my browser,
where I removed the password field (or changed the name attribute).
When I submitted the registration form (username, password,
repeat_password fields), only with the username value supplied... the
user account was created, bypassing the password validation and
leaving the password blank (should be more then 4 characters)...
admittedly this did cause a couple of undefined variables in the
checkRepeatPassword function, but didn't stop anything.
Anyway, I've been wondering how I can avoid this happening, where
someone editing the DOM could bypass the field validation.
I did try adding the "required" attribute via:
var $validate = array(
'username' => array(
'notEmpty' => array(
'rule' => 'notEmpty',
'message' => 'Your username is
required.',
'required' => true,
),
...
'password' => array(
'minLength' => array(
'rule' => array('minLength', 4),
'message' => 'Your password
must be at least 4 characters
long.',
'required' => true,
),
),
...
Which seems to imply that the validation rules must be run (what I
want)... but then on the page where the user is able to change their
first/last name, the validation complains when the username and
password fields are not present (username should not be editable).
Craig
Check out the new CakePHP Questions site http://cakeqs.org and help others with
their CakePHP related questions.
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected] For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
