Friday, September 2, 2011

Re: Issues With Auth Component

Thanks for your help. PLease I still cant restrict access to only the
loggen in users details this is my edit code

function edit($id = null) {
if (!$id && empty($this->data)) {
$this->Session->setFlash(__('Invalid profile', true));
$this->redirect(array('action' => 'index'));
}
if (!empty($this->data)) {
if ($this->Profile->save($this->data)) {
$this->Session->setFlash(__('The profile has been saved', true));
$this->redirect(array('action' => 'index'));
} else {
$this->Session->setFlash(__('The profile could not be saved.
Please, try again.', true));
}
}
if (empty($this->data)) {
$this->data = $this->Profile->read(null, $id);
}
$users = $this->Profile->User->find('list');
$this->set(compact('users'));
}


Would be very grateful if you can edit it to include what you wrote
initially.
Thanks

On Sep 3, 5:12 am, andrewperk <andrewp...@gmail.com> wrote:
> You need to scope the update to only update the logged in user. That
> way when a user accesses the update action it will only allow them to
> update their own account.
>
> For instance on the action to update a user fetch that user like so:
>
> public function update() {
>   // This sets the logged in user as the user to update
>   $this->User->id = $this->Auth->user('id');
>
>     Prepopulate form with logged in user details
>     if (empty($this->data)) {
>       $this->data = $this->User->read();
>     }
>     // Save user
>     else {
>       if ($this->User->save($this->data)) {
>         $this->Session->setFlash('Update successful.', 'default',
> array('class'=>'success'));
>         $this->redirect(array('action'=>'view', $this->Auth->user('id')));
>
>       }
>       // There was an error
>       else {
>         $this->Session->setFlash('Errors while updating:', 'default',
> array('class'=>'error'));
>       }
>     }
>
> }
>
> If for some reason you need the functionality of passing in the user
> ID to the update action then do a check to see if the id passed in
> matches the logged in user, if not redirect  and don't allow them to
> edit. So you modify the code above to have an if:
>
> public function update($id = null) {
> if ($id != $this->Auth->user('id')) {
>   // User is accessing someone else's profile, don't let them edit
>   $this->redirect(array('action'=>'index');
>
> }
>
> // the rest of the update code below..
>
> }
>
> On Sep 2, 11:55 am, tubiz <tayi...@gmail.com> wrote:
>
>
>
>
>
>
>
> > I have already setup the auth component and it is working perfectly.
> > But I just discovered a problem.
> > There are two users in my users table when I am login as one of the
> > users I can access the other users details just by changing the i.d.
> > This wouldnt be secure as a login user can access all the details of
> > other users,
> > Please how can I stop this so that a logged in user is only able to
> > view his details only and not other users details.

--
Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org
Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions.


To unsubscribe from this group, send email to
cake-php+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)