Why do you need to submit the user's id and check it against the logged user id?
On Thu, Sep 16, 2010 at 9:00 AM, andrewperk <[email protected]> wrote: > Hello, > > (my users edit action is below) > What I'm wondering is if there's any way a user could make their own > form and submit it to this action and update someone elses profile? > > I've seen that even though in my view I have the form submitting to my > users controller and edit action, in my source code it actually is > using the users ID. I don't have the edit action submitting by ID, it > is looking up the logged in user. > > Where I'm checking if the $this->data is not empty, I also do a check > to see if the $this->User->id is equal to $this->Auth->user('id'). Is > this a proper to check to where if they would try to meddle with it by > making their own form this would prevent them from updating since the > id they submit wouldn't match the current logged in users id through > Auth correct? > > I have a users controller with an edit action which looks like this: > > function edit() { > // ensure user is logged in > if ($this->_loggedIn()) { > // save updated user info if user id is equal to > logged in user id > if (!empty($this->data) && ($this->User->id == > $this->Auth- > >user('id'))) { > if ($this->User->save($this->data)) { > $this->Session->setFlash('You > personal information has been > updated.'); > > $this->redirect(array('controller'=>'profiles', > 'action'=>'index')); > } else { > $this->Session->setFlash('Your > personal information was not > updated, please try again.'); > } > } > // display logged in user info to edit > $user = $this->User->read(NULL, > $this->Auth->user('id')); > $this->data = $user; > } > } > > I have the _loggedIn() method in my app controller which returns true > or false if I have a logged in user. Thanks for any help. > > Check out the new CakePHP Questions site http://cakeqs.org and help others > with their CakePHP related questions. > > You received this message because you are subscribed to the Google Groups > "CakePHP" group. > To post to this group, send email to [email protected] > To unsubscribe from this group, send email to > [email protected]<cake-php%[email protected]>For > more options, visit this group at > http://groups.google.com/group/cake-php?hl=en > Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
