Friday, September 2, 2011

Re: Issues With Auth Component

You need to scope the update to only update the logged in user. That
way when a user accesses the update action it will only allow them to
update their own account.

For instance on the action to update a user fetch that user like so:

public function update() {
// This sets the logged in user as the user to update
$this->User->id = $this->Auth->user('id');

Prepopulate form with logged in user details
if (empty($this->data)) {
$this->data = $this->User->read();
}
// Save user
else {
if ($this->User->save($this->data)) {
$this->Session->setFlash('Update successful.', 'default',
array('class'=>'success'));
$this->redirect(array('action'=>'view', $this->Auth-
>user('id')));
}
// There was an error
else {
$this->Session->setFlash('Errors while updating:', 'default',
array('class'=>'error'));
}
}
}

If for some reason you need the functionality of passing in the user
ID to the update action then do a check to see if the id passed in
matches the logged in user, if not redirect and don't allow them to
edit. So you modify the code above to have an if:

public function update($id = null) {
if ($id != $this->Auth->user('id')) {
// User is accessing someone else's profile, don't let them edit
$this->redirect(array('action'=>'index');
}

// the rest of the update code below..
}

On Sep 2, 11:55 am, tubiz <tayi...@gmail.com> wrote:
> I have already setup the auth component and it is working perfectly.
> But I just discovered a problem.
> There are two users in my users table when I am login as one of the
> users I can access the other users details just by changing the i.d.
> This wouldnt be secure as a login user can access all the details of
> other users,
> Please how can I stop this so that a logged in user is only able to
> view his details only and not other users details.

--
Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org
Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions.


To unsubscribe from this group, send email to
cake-php+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)