Belt and braces - for non-admin type actions I always check against Auth user id for this very reason. I often place other ids into the session and check that first; for example in an e-commerce situation where I know nothing about the user (who might not even have registered and/or logged in yet) I have no way of knowing whether they are really able to affect order_id 1000. Who does have that right? So as soon as a stub order is created, place the id into the session. Then even if the user changes the id in the form or url to 1001, they always get directed back to 'their' order, 1000. This works for plain old view functions too, as I don't want them peeking at other people's orders.
Jeremy Burns Class Outfit [email protected] http://www.classoutfit.com On 16 Sep 2010, at 07:41, andrewperk wrote: > Thanks for responding Andrei, > > I didn't think I was submitting the user's ID. I thought I was just > comparing the users id to the logged in users to id to make sure they > match before the update takes place. This would ensure that the logged > in user is only updating his profile and can't change it to be someone > else's. > > So is the: "&& ($this->User->id == $this->Auth->user('id')" part > unnecessary? I think I may be doing it wrong. I'm just worried that a > user could change the ID that the form is submitting to and update > someone else's profile. I see in the html source code that it's still > generating "action="users/edit/6"" even though my users edit action > doesn't take an ID as a parameter. Thanks. > > On Sep 15, 11:30 pm, Andrei Mita <[email protected]> wrote: >> Why do you need to submit the user's id and check it against the logged user >> id? >> >> On Thu, Sep 16, 2010 at 9:00 AM, andrewperk <[email protected]> wrote: >>> Hello, >> >>> (my users edit action is below) >>> What I'm wondering is if there's any way a user could make their own >>> form and submit it to this action and update someone elses profile? >> >>> I've seen that even though in my view I have the form submitting to my >>> users controller and edit action, in my source code it actually is >>> using the users ID. I don't have the edit action submitting by ID, it >>> is looking up the logged in user. >> >>> Where I'm checking if the $this->data is not empty, I also do a check >>> to see if the $this->User->id is equal to $this->Auth->user('id'). Is >>> this a proper to check to where if they would try to meddle with it by >>> making their own form this would prevent them from updating since the >>> id they submit wouldn't match the current logged in users id through >>> Auth correct? >> >>> I have a users controller with an edit action which looks like this: >> >>> function edit() { >>> // ensure user is logged in >>> if ($this->_loggedIn()) { >>> // save updated user info if user id is equal to >>> logged in user id >>> if (!empty($this->data) && ($this->User->id == >>> $this->Auth- >>>> user('id'))) { >>> if ($this->User->save($this->data)) { >>> $this->Session->setFlash('You >>> personal information has been >>> updated.'); >> >>> $this->redirect(array('controller'=>'profiles', >>> 'action'=>'index')); >>> } else { >>> $this->Session->setFlash('Your >>> personal information was not >>> updated, please try again.'); >>> } >>> } >>> // display logged in user info to edit >>> $user = $this->User->read(NULL, >>> $this->Auth->user('id')); >>> $this->data = $user; >>> } >>> } >> >>> I have the _loggedIn() method in my app controller which returns true >>> or false if I have a logged in user. Thanks for any help. >> >>> Check out the new CakePHP Questions sitehttp://cakeqs.organd help others >>> with their CakePHP related questions. >> >>> You received this message because you are subscribed to the Google Groups >>> "CakePHP" group. >>> To post to this group, send email to [email protected] >>> To unsubscribe from this group, send email to >>> [email protected]<cake-php%[email protected]>For >>> more options, visit this group at >>> http://groups.google.com/group/cake-php?hl=en > > Check out the new CakePHP Questions site http://cakeqs.org and help others > with their CakePHP related questions. > > You received this message because you are subscribed to the Google Groups > "CakePHP" group. > To post to this group, send email to [email protected] > To unsubscribe from this group, send email to > [email protected] For more options, visit this group at > http://groups.google.com/group/cake-php?hl=en Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
