PHP: Re: Issues With Auth Component

Saturday, September 3, 2011

Re: Issues With Auth Component

It's pretty simple, just use a conditional to compare the logged in
user's ID to the ID passed in to the URL. If it doesn't match then
they get redirected back to the edit page but this time passing in
their ID rather than the one they tried to use. This should ensure
only the current user can edit their current profile. Each time the
user enters in an ID when trying to access the edit page and that ID
doesn't match their ID they will get redirected.

On Sep 2, 10:49 pm, tubiz <tayi...@gmail.com> wrote:
> Thanks for your help. PLease I still cant restrict access to only the
> loggen in users details this is my edit code
>
> function edit($id = null) {
> if (!$id && empty($this->data)) {
> $this->Session->setFlash(__('Invalid profile', true));
> $this->redirect(array('action' => 'index'));
> }
> if (!empty($this->data)) {
> if ($this->Profile->save($this->data)) {
> $this->Session->setFlash(__('The profile has been saved', true));
> $this->redirect(array('action' => 'index'));
> } else {
> $this->Session->setFlash(__('The profile could not be saved.
> Please, try again.', true));
> }
> }
> if (empty($this->data)) {
> $this->data = $this->Profile->read(null, $id);
> }
> $users = $this->Profile->User->find('list');
> $this->set(compact('users'));
> }
>
> Would be very grateful if you can edit it to include what you wrote
> initially.
> Thanks
>
> On Sep 3, 5:12 am, andrewperk <andrewp...@gmail.com> wrote:
>
>
>
>
>
>
>
> > You need to scope the update to only update the logged in user. That
> > way when a user accesses the update action it will only allow them to
> > update their own account.
>
> > For instance on the action to update a user fetch that user like so:
>
> > public function update() {
> > // This sets the logged in user as the user to update
> > $this->User->id = $this->Auth->user('id');
>
> > Prepopulate form with logged in user details
> > if (empty($this->data)) {
> > $this->data = $this->User->read();
> > }
> > // Save user
> > else {
> > if ($this->User->save($this->data)) {
> > $this->Session->setFlash('Update successful.', 'default',
> > array('class'=>'success'));
> > $this->redirect(array('action'=>'view', $this->Auth->user('id')));
>
> > }
> > // There was an error
> > else {
> > $this->Session->setFlash('Errors while updating:', 'default',
> > array('class'=>'error'));
> > }
> > }
>
> > }
>
> > If for some reason you need the functionality of passing in the user
> > ID to the update action then do a check to see if the id passed in
> > matches the logged in user, if not redirect and don't allow them to
> > edit. So you modify the code above to have an if:
>
> > public function update($id = null) {
> > if ($id != $this->Auth->user('id')) {
> > // User is accessing someone else's profile, don't let them edit
> > $this->redirect(array('action'=>'index');
>
> > }
>
> > // the rest of the update code below..
>
> > }
>
> > On Sep 2, 11:55 am, tubiz <tayi...@gmail.com> wrote:
>
> > > I have already setup the auth component and it is working perfectly.
> > > But I just discovered a problem.
> > > There are two users in my users table when I am login as one of the
> > > users I can access the other users details just by changing the i.d.
> > > This wouldnt be secure as a login user can access all the details of
> > > other users,
> > > Please how can I stop this so that a logged in user is only able to
> > > view his details only and not other users details.

--
Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org
Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions.

To unsubscribe from this group, send email to
cake-php+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php

PHP

Saturday, September 3, 2011

Re: Issues With Auth Component

No comments:

Blog Archive

About Me