Thanks John,
It does strike me as a little odd that "'required' => true" is at the
individual rule(s) specific level, and not the field specific level...
as in:
var $validate = array(
'username' => array(
'required' => true, <-- SHOULD BE HERE
'notEmpty' => array(
'rule' => 'notEmpty',
'message' => 'Your username is
required.',
),
...
),
Rather than:
var $validate = array(
'username' => array(
'notEmpty' => array(
'rule' => 'notEmpty',
'message' => 'Your username is
required.',
'required' => true, <!-- NOT
HERE
),
'alphaNumeric' => array(
'rule' => 'alphaNumeric',
'message' => 'Your username can
only use letters and numbers.',
'required' => true, <!-- AND
NOT HERE, etc, etc
),
...
),
As in, that 'required' will technically need to be set on every rule
(which is not the default) so that you can get the "safe" setting.
Shouldn't it be the case that frameworks (or at least my
interpretation of them), should be safe by default, and you need to
explicitly tell them to disable security features in order to open
them up.
But then again... on the $this->Model->save() method... you can (and
should) pass in a "fieldList"... which is good for stopping hackers/
crackers adding additional fields (e.g. an "is_admin" field on a
generic user registration form), but that is just to limit the fields,
it doesn't seem to say "these are all the fields which will be
supplied, and if that field does not exist in the $data array, try to
validate it as an empty string".
Craig
On Jan 30, 8:03 am, John Andersen <[email protected]> wrote:
> You did correctly, added the required => true attribute.
> Only when you want to update the other fields, as you state, then you
> should turn off the rules for username and password by:
>
> [code]
> unset($this->User->validate['username']);
> unset($this->User->validate['password']);
> rest of code, where you do your update.
> [/code]
>
> The above turns off the two validation rules for username and password
> so that you can save/update the other fields.
>
> Enjoy,
> John
>
> On Jan 29, 7:27 pm, Craig Francis <[email protected]> wrote:
>
> > (Note: This is my first time using CakePHP).
>
> > I have a fairly simple user model, with validation along the lines of:
>
> > var $validate = array(
> > 'username' => array(
> > 'notEmpty' => array(
> > 'rule' => 'notEmpty',
> > 'message' => 'Your username
> > is required.',
> > ),
> > 'alphaNumeric' => array(
> > 'rule' => 'alphaNumeric',
> > 'message' => 'Your username
> > can only use letters and numbers.',
> > ),
> > 'between' => array(
> > 'rule' => array('between',
> > 5, 15),
> > 'message' => 'Your username
> > can only be between 5 to 15
> > characters.',
> > ),
> > 'isUnique' => array(
> > 'rule' => 'isUnique',
> > 'message' => 'Your username
> > is already in use.',
> > ),
> > ),
> > 'password' => array(
> > 'minLength' => array(
> > 'rule' =>
> > array('minLength', 4),
> > 'message' => 'Your password
> > must be at least 4 characters
> > long.',
> > ),
> > ),
> > 'repeat_password' => array(
> > 'repeat' => array(
> > 'rule' =>
> > array('checkRepeatPassword'),
> > 'message' => 'Your repeated
> > password is not the same.',
> > ),
> > ),
> > 'name_first' => array('notempty'),
> > 'name_last' => array('notempty'),
> > );
>
> > And I have then been playing with the DOM inspector in my browser,
> > where I removed the password field (or changed the name attribute).
>
> > When I submitted the registration form (username, password,
> > repeat_password fields), only with the username value supplied... the
> > user account was created, bypassing the password validation and
> > leaving the password blank (should be more then 4 characters)...
> > admittedly this did cause a couple of undefined variables in the
> > checkRepeatPassword function, but didn't stop anything.
>
> > Anyway, I've been wondering how I can avoid this happening, where
> > someone editing the DOM could bypass the field validation.
>
> > I did try adding the "required" attribute via:
>
> > var $validate = array(
> > 'username' => array(
> > 'notEmpty' => array(
> > 'rule' => 'notEmpty',
> > 'message' => 'Your username
> > is required.',
> > 'required' => true,
> > ),
> > ...
> > 'password' => array(
> > 'minLength' => array(
> > 'rule' =>
> > array('minLength', 4),
> > 'message' => 'Your password
> > must be at least 4 characters
> > long.',
> > 'required' => true,
> > ),
> > ),
> > ...
>
> > Which seems to imply that the validation rules must be run (what I
> > want)... but then on the page where the user is able to change their
> > first/last name, the validation complains when the username and
> > password fields are not present (username should not be editable).
>
> > Craig
Check out the new CakePHP Questions site http://cakeqs.org and help others with
their CakePHP related questions.
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected] For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
