the *initial* request to the edit action when the Comment data is
fetched from the DB in order to send to the from, not the subsequent
POSTed data. The SecurityComponent can then take care of ensuring that
the form data was not fiddled with.
On Mon, Mar 2, 2009 at 4:25 PM, georg <georgreitschmidt@googlemail.com> wrote:
>
> very insecure way ... you have to read the user_id from the database
> for the comment he wants to edit there is so other secure way
>
> On 2 Mrz., 19:18, brian <bally.z...@gmail.com> wrote:
>> On Mon, Mar 2, 2009 at 11:01 AM, Dolbex <dol...@gmail.com> wrote:
>>
>> > Hello fellow bakers!
>>
>> > I have looked around for a while trying to find a 'best practice' on
>> > securing edits of a hasMany relation. Simple example:
>>
>> > User -> hasMany -> Comments
>>
>> > If I want to allow a user to edit only his/her comments is their a
>> > good way without having to re-read the record they are editing to
>> > compare userid's?
>>
>> You can do this on the initial request.
>>
>> $this->data = $this->Comment->read(null, $id);
>>
>> if ($this->data['Comment']['user_id'] != $this->Session->read('User.id'))
>> {
>> $this->flash(...)
>>
>> Store the user_id as a hidden form element. If you're using the
>> SecurityComponent then it will be difficult to change that.
> >
>
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to cake-php+unsubscribe@googlegroups.com
For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
-~----------~----~----~----~------~----~------~--~---
No comments:
Post a Comment