Thanks for responding Andrei,
I didn't think I was submitting the user's ID. I thought I was just
comparing the users id to the logged in users to id to make sure they
match before the update takes place. This would ensure that the logged
in user is only updating his profile and can't change it to be someone
else's.
So is the: "&& ($this->User->id == $this->Auth->user('id')" part
unnecessary? I think I may be doing it wrong. I'm just worried that a
user could change the ID that the form is submitting to and update
someone else's profile. I see in the html source code that it's still
generating "action="users/edit/6"" even though my users edit action
doesn't take an ID as a parameter. Thanks.
On Sep 15, 11:30 pm, Andrei Mita <[email protected]> wrote:
> Why do you need to submit the user's id and check it against the logged user
> id?
>
> On Thu, Sep 16, 2010 at 9:00 AM, andrewperk <[email protected]> wrote:
> > Hello,
>
> > (my users edit action is below)
> > What I'm wondering is if there's any way a user could make their own
> > form and submit it to this action and update someone elses profile?
>
> > I've seen that even though in my view I have the form submitting to my
> > users controller and edit action, in my source code it actually is
> > using the users ID. I don't have the edit action submitting by ID, it
> > is looking up the logged in user.
>
> > Where I'm checking if the $this->data is not empty, I also do a check
> > to see if the $this->User->id is equal to $this->Auth->user('id'). Is
> > this a proper to check to where if they would try to meddle with it by
> > making their own form this would prevent them from updating since the
> > id they submit wouldn't match the current logged in users id through
> > Auth correct?
>
> > I have a users controller with an edit action which looks like this:
>
> > function edit() {
> > // ensure user is logged in
> > if ($this->_loggedIn()) {
> > // save updated user info if user id is equal to
> > logged in user id
> > if (!empty($this->data) && ($this->User->id ==
> > $this->Auth-
> > >user('id'))) {
> > if ($this->User->save($this->data)) {
> > $this->Session->setFlash('You
> > personal information has been
> > updated.');
>
> > $this->redirect(array('controller'=>'profiles',
> > 'action'=>'index'));
> > } else {
> > $this->Session->setFlash('Your
> > personal information was not
> > updated, please try again.');
> > }
> > }
> > // display logged in user info to edit
> > $user = $this->User->read(NULL,
> > $this->Auth->user('id'));
> > $this->data = $user;
> > }
> > }
>
> > I have the _loggedIn() method in my app controller which returns true
> > or false if I have a logged in user. Thanks for any help.
>
> > Check out the new CakePHP Questions sitehttp://cakeqs.organd help others
> > with their CakePHP related questions.
>
> > You received this message because you are subscribed to the Google Groups
> > "CakePHP" group.
> > To post to this group, send email to [email protected]
> > To unsubscribe from this group, send email to
> > [email protected]<cake-php%[email protected]>For
> > more options, visit this group at
> >http://groups.google.com/group/cake-php?hl=en
Check out the new CakePHP Questions site http://cakeqs.org and help others with
their CakePHP related questions.
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected] For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
