> hi Paul,
>
> This is my first experience developing under a framework, but I'm
> starting to see the advantages and I really like the baking features
> in a shell prompt. Tons of time saved there.
>
> What i'll be building is a basic user account system where users can
> login and edit their own record. So I need to prevent the user from
> editing another user's record.
In that situation, I don't even pass the ID of the record in question.
Instead, I'll get the User.id from the session. In UsersController,
for example:
public function edit()
{
$id = $this->Auth->user('id');
if (!empty($this->data))
{
$this->data['User']['id'] = $id;
$this->User->set($this->data);
if ($this->User->validates())
{
// etc.
}
}
else
{
// fetch the record from DB
$this->data = $this->User->read(null, $id);
}
}
And routes.php:
Router::connect(
'/profile',
array('controller' => 'users', 'action' => 'edit')
);
So there's nothing for the user to fiddle with. And because edit is
not included in the controller's $this->Auth->allow(...) the action
can only be reached by a logged-in user.
You can use the same pattern for any model that has a user_id field.
> From your comments it looks like the solution is with group management
> and the isAuthorized() syntax you mentioned. So it sounds like I need
> to read more on this subject.
I don't think ACL is strictly necessary here. But that really depends
on the details of your app.
> For your final question, I'm use to in the past for simple systems
> having an authorization code as part of the database record. The code
> is in the URL as a parameter and the query would do the select against
> the code. The code can replace the ID and since its a long 32
> character random code, guessing another code is nearly impossible. It
> was highly effective, simple and nice for situations where you didn't
> want a user to have to login first - just as updating a record by
> clicking on a link in an email.
I guess it depends, though, on how secure this needs to be, and on how
random your random() is. The higher the security needs, the more
effort will be required to create a random string (and it likely never
truly will be)
Incidentally, though, Cake will automatically use UUID if your id
column is specified as CHAR(36) NOT NULL instead of a regular INT.
http://book.cakephp.org/view/1016/Using-UUIDs-as-Primary-Keys
Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions.
You received this message because you are subscribed to the Google Groups "CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
No comments:
Post a Comment