Isn't this what the Security component is for? http://book.cakephp.org/view/1296/Security-Component
On Sep 17, 8:05 am, Andrei Mita <[email protected]> wrote: > I believe that is true. You can test this by opening the page with FF, alter > the form with firebug and submit it. > > > > On Thu, Sep 16, 2010 at 9:38 PM, andrewperk <[email protected]> wrote: > > Thanks for everyone's help. > > > I just want to confirm though. In my edit action if I set: > > > $this->Profile->id = 3; > > > Assume 3 is the profile ID, this will force the edit action to only > > update the profile with ID of 3 correct? Even if a malicious user > > modified the form to try to update a different profile number? Thanks. > > > On Sep 16, 8:26 am, cricket <[email protected]> wrote: > > > On Thu, Sep 16, 2010 at 2:41 AM, andrewperk <[email protected]> > > wrote: > > > > Thanks for responding Andrei, > > > > > I didn't think I was submitting the user's ID. I thought I was just > > > > comparing the users id to the logged in users to id to make sure they > > > > match before the update takes place. This would ensure that the logged > > > > in user is only updating his profile and can't change it to be someone > > > > else's. > > > > > So is the: "&& ($this->User->id == $this->Auth->user('id')" part > > > > unnecessary? I think I may be doing it wrong. I'm just worried that a > > > > user could change the ID that the form is submitting to and update > > > > someone else's profile. I see in the html source code that it's still > > > > generating "action="users/edit/6"" even though my users edit action > > > > doesn't take an ID as a parameter. Thanks. > > > > This is what I do: > > > > public function edit() > > > { > > > $id = $this->Auth->user('id'); > > > > if (!empty($this->data)) > > > { > > > $this->data['Member']['id'] = $id; > > > > if ($this->Member->save($this->data)) > > > { > > > ... > > > } > > > } > > > else > > > { > > > $this->data = $this->Member->read(null, $id); > > > } > > > > ... > > > > } > > > > Of course, I also ensure that edit is not an allowed action. > > > Check out the new CakePHP Questions sitehttp://cakeqs.organd help others > > with their CakePHP related questions. > > > You received this message because you are subscribed to the Google Groups > > "CakePHP" group. > > To post to this group, send email to [email protected] > > To unsubscribe from this group, send email to > > [email protected]<cake-php%[email protected] > > om>For more options, visit this group at > >http://groups.google.com/group/cake-php?hl=en Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
