I have a fairly simple user model, with validation along the lines of:
var $validate = array(
'username' => array(
'notEmpty' => array(
'rule' => 'notEmpty',
'message' => 'Your username is required.',
),
'alphaNumeric' => array(
'rule' => 'alphaNumeric',
'message' => 'Your username can only use letters and numbers.',
),
'between' => array(
'rule' => array('between', 5, 15),
'message' => 'Your username can only be between 5 to 15
characters.',
),
'isUnique' => array(
'rule' => 'isUnique',
'message' => 'Your username is already in use.',
),
),
'password' => array(
'minLength' => array(
'rule' => array('minLength', 4),
'message' => 'Your password must be at least 4 characters
long.',
),
),
'repeat_password' => array(
'repeat' => array(
'rule' => array('checkRepeatPassword'),
'message' => 'Your repeated password is not the same.',
),
),
'name_first' => array('notempty'),
'name_last' => array('notempty'),
);
And I have then been playing with the DOM inspector in my browser,
where I removed the password field (or changed the name attribute).
When I submitted the registration form (username, password,
repeat_password fields), only with the username value supplied... the
user account was created, bypassing the password validation and
leaving the password blank (should be more then 4 characters)...
admittedly this did cause a couple of undefined variables in the
checkRepeatPassword function, but didn't stop anything.
Anyway, I've been wondering how I can avoid this happening, where
someone editing the DOM could bypass the field validation.
I did try adding the "required" attribute via:
var $validate = array(
'username' => array(
'notEmpty' => array(
'rule' => 'notEmpty',
'message' => 'Your username is required.',
'required' => true,
),
...
'password' => array(
'minLength' => array(
'rule' => array('minLength', 4),
'message' => 'Your password must be at least 4 characters
long.',
'required' => true,
),
),
...
Which seems to imply that the validation rules must be run (what I
want)... but then on the page where the user is able to change their
first/last name, the validation complains when the username and
password fields are not present (username should not be editable).
Craig
Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions.
You received this message because you are subscribed to the Google Groups "CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
No comments:
Post a Comment