Only when you want to update the other fields, as you state, then you
should turn off the rules for username and password by:
[code]
unset($this->User->validate['username']);
unset($this->User->validate['password']);
rest of code, where you do your update.
[/code]
The above turns off the two validation rules for username and password
so that you can save/update the other fields.
Enjoy,
John
On Jan 29, 7:27 pm, Craig Francis <craig.fran...@gmail.com> wrote:
> (Note: This is my first time using CakePHP).
>
> I have a fairly simple user model, with validation along the lines of:
>
> var $validate = array(
> 'username' => array(
> 'notEmpty' => array(
> 'rule' => 'notEmpty',
> 'message' => 'Your username is required.',
> ),
> 'alphaNumeric' => array(
> 'rule' => 'alphaNumeric',
> 'message' => 'Your username can only use letters and numbers.',
> ),
> 'between' => array(
> 'rule' => array('between', 5, 15),
> 'message' => 'Your username can only be between 5 to 15
> characters.',
> ),
> 'isUnique' => array(
> 'rule' => 'isUnique',
> 'message' => 'Your username is already in use.',
> ),
> ),
> 'password' => array(
> 'minLength' => array(
> 'rule' => array('minLength', 4),
> 'message' => 'Your password must be at least 4 characters
> long.',
> ),
> ),
> 'repeat_password' => array(
> 'repeat' => array(
> 'rule' => array('checkRepeatPassword'),
> 'message' => 'Your repeated password is not the same.',
> ),
> ),
> 'name_first' => array('notempty'),
> 'name_last' => array('notempty'),
> );
>
> And I have then been playing with the DOM inspector in my browser,
> where I removed the password field (or changed the name attribute).
>
> When I submitted the registration form (username, password,
> repeat_password fields), only with the username value supplied... the
> user account was created, bypassing the password validation and
> leaving the password blank (should be more then 4 characters)...
> admittedly this did cause a couple of undefined variables in the
> checkRepeatPassword function, but didn't stop anything.
>
> Anyway, I've been wondering how I can avoid this happening, where
> someone editing the DOM could bypass the field validation.
>
> I did try adding the "required" attribute via:
>
> var $validate = array(
> 'username' => array(
> 'notEmpty' => array(
> 'rule' => 'notEmpty',
> 'message' => 'Your username is required.',
> 'required' => true,
> ),
> ...
> 'password' => array(
> 'minLength' => array(
> 'rule' => array('minLength', 4),
> 'message' => 'Your password must be at least 4 characters
> long.',
> 'required' => true,
> ),
> ),
> ...
>
> Which seems to imply that the validation rules must be run (what I
> want)... but then on the page where the user is able to change their
> first/last name, the validation complains when the username and
> password fields are not present (username should not be editable).
>
> Craig
Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions.
You received this message because you are subscribed to the Google Groups "CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
No comments:
Post a Comment