You only need:
if($this->Auth->user('id')) {
update your data where User.id => $this->Auth->user('id')
}
On Thu, Sep 16, 2010 at 9:41 AM, andrewperk <[email protected]> wrote:
> Thanks for responding Andrei,
>
> I didn't think I was submitting the user's ID. I thought I was just
> comparing the users id to the logged in users to id to make sure they
> match before the update takes place. This would ensure that the logged
> in user is only updating his profile and can't change it to be someone
> else's.
>
> So is the: "&& ($this->User->id == $this->Auth->user('id')" part
> unnecessary? I think I may be doing it wrong. I'm just worried that a
> user could change the ID that the form is submitting to and update
> someone else's profile. I see in the html source code that it's still
> generating "action="users/edit/6"" even though my users edit action
> doesn't take an ID as a parameter. Thanks.
>
> On Sep 15, 11:30 pm, Andrei Mita <[email protected]> wrote:
> > Why do you need to submit the user's id and check it against the logged
> user
> > id?
> >
> > On Thu, Sep 16, 2010 at 9:00 AM, andrewperk <[email protected]>
> wrote:
> > > Hello,
> >
> > > (my users edit action is below)
> > > What I'm wondering is if there's any way a user could make their own
> > > form and submit it to this action and update someone elses profile?
> >
> > > I've seen that even though in my view I have the form submitting to my
> > > users controller and edit action, in my source code it actually is
> > > using the users ID. I don't have the edit action submitting by ID, it
> > > is looking up the logged in user.
> >
> > > Where I'm checking if the $this->data is not empty, I also do a check
> > > to see if the $this->User->id is equal to $this->Auth->user('id'). Is
> > > this a proper to check to where if they would try to meddle with it by
> > > making their own form this would prevent them from updating since the
> > > id they submit wouldn't match the current logged in users id through
> > > Auth correct?
> >
> > > I have a users controller with an edit action which looks like this:
> >
> > > function edit() {
> > > // ensure user is logged in
> > > if ($this->_loggedIn()) {
> > > // save updated user info if user id is equal to
> > > logged in user id
> > > if (!empty($this->data) && ($this->User->id ==
> > > $this->Auth-
> > > >user('id'))) {
> > > if ($this->User->save($this->data)) {
> > > $this->Session->setFlash('You
> > > personal information has been
> > > updated.');
> >
> > > $this->redirect(array('controller'=>'profiles',
> > > 'action'=>'index'));
> > > } else {
> > > $this->Session->setFlash('Your
> > > personal information was not
> > > updated, please try again.');
> > > }
> > > }
> > > // display logged in user info to edit
> > > $user = $this->User->read(NULL,
> > > $this->Auth->user('id'));
> > > $this->data = $user;
> > > }
> > > }
> >
> > > I have the _loggedIn() method in my app controller which returns true
> > > or false if I have a logged in user. Thanks for any help.
> >
> > > Check out the new CakePHP Questions sitehttp://cakeqs.organd help
> others
> > > with their CakePHP related questions.
> >
> > > You received this message because you are subscribed to the Google
> Groups
> > > "CakePHP" group.
> > > To post to this group, send email to [email protected]
> > > To unsubscribe from this group, send email to
> > > [email protected]<cake-php%[email protected]>
> <cake-php%[email protected]<cake-php%[email protected]>>For
> more options, visit this group at
> > >http://groups.google.com/group/cake-php?hl=en
>
> Check out the new CakePHP Questions site http://cakeqs.org and help others
> with their CakePHP related questions.
>
> You received this message because you are subscribed to the Google Groups
> "CakePHP" group.
> To post to this group, send email to [email protected]
> To unsubscribe from this group, send email to
> [email protected]<cake-php%[email protected]>For
> more options, visit this group at
> http://groups.google.com/group/cake-php?hl=en
>
Check out the new CakePHP Questions site http://cakeqs.org and help others with
their CakePHP related questions.
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected] For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
