Friday, November 5, 2010

Re: ACL and Auth: Check if logged in user has same ID as passed by the URL? --psybear

You can check against $this->Auth->User-id to make sure the user id of the profile they want to edit matches. That way you are not relying on parameters passed in via a url.

Jeremy Burns
Class Outfit

jeremyburns@classoutfit.com
http://www.classoutfit.com

On 5 Nov 2010, at 10:23, psybear83 wrote:

> Hi everybody
>
> My application uses ACL and Auth. Every user should be able to edit
> his own profile. For this I check on every request whether the
> currently logged in user is the same as the one who's ID was submitted
> in the URL (users/edit/123).
>
> The following method existed in the app since early CakePHP 1.2.x
> days...
>
> function _userIsSelfOrSuperuser() {
> if ($this->isSuperuser()) {
> return true;
> } else {
> $this->User->read();
> if (!empty($this->User->data)) {
> $user = $this->Auth->user();
> return $user['User']['id'] == $this->User->data['User']['id'];
> } else {
> return false;
> }
> }
> }
>
> Sadly, it doesn't work anymore on CakePHP 1.3.5 (I don't know if it
> *ever* worked, it's not my app).
>
> I guess the problem is the $this->User->read() line: this one does
> absolutely nothing, because $this->User->id is not set. Maybe in
> earlier version this ID was set automatially when an ID was submit
> throught the URL (123)?
>
> My question: how should I fix this? I could do
>
> $this->User->id = $this->params['passed][0];
>
> because the user's ID should usually be the first unnamed passed
> parameter... but this looks very awkward to me, and when requesting
> users/index the param isn't even populated.
>
> So I guess there's a cleaner way to solve this? Maybe there's
> something like
>
> $this->User->id = $this->idOfTheObjectThatWasSubmitForEditOrAdd();
>
> or something...? ;-)
>
> Thanks a lot for your help, guys!
> Josh
>
> Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions.
>
> You received this message because you are subscribed to the Google Groups "CakePHP" group.
> To post to this group, send email to cake-php@googlegroups.com
> To unsubscribe from this group, send email to
> cake-php+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en

Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions.

You received this message because you are subscribed to the Google Groups "CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)