Hello,
(my users edit action is below)
What I'm wondering is if there's any way a user could make their own
form and submit it to this action and update someone elses profile?
I've seen that even though in my view I have the form submitting to my
users controller and edit action, in my source code it actually is
using the users ID. I don't have the edit action submitting by ID, it
is looking up the logged in user.
Where I'm checking if the $this->data is not empty, I also do a check
to see if the $this->User->id is equal to $this->Auth->user('id'). Is
this a proper to check to where if they would try to meddle with it by
making their own form this would prevent them from updating since the
id they submit wouldn't match the current logged in users id through
Auth correct?
I have a users controller with an edit action which looks like this:
function edit() {
// ensure user is logged in
if ($this->_loggedIn()) {
// save updated user info if user id is equal to logged
in user id
if (!empty($this->data) && ($this->User->id ==
$this->Auth-
>user('id'))) {
if ($this->User->save($this->data)) {
$this->Session->setFlash('You personal
information has been
updated.');
$this->redirect(array('controller'=>'profiles',
'action'=>'index'));
} else {
$this->Session->setFlash('Your personal
information was not
updated, please try again.');
}
}
// display logged in user info to edit
$user = $this->User->read(NULL,
$this->Auth->user('id'));
$this->data = $user;
}
}
I have the _loggedIn() method in my app controller which returns true
or false if I have a logged in user. Thanks for any help.
Check out the new CakePHP Questions site http://cakeqs.org and help others with
their CakePHP related questions.
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected] For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
