It does strike me as a little odd that "'required' => true" is at the
individual rule(s) specific level, and not the field specific level...
as in:
var $validate = array(
'username' => array(
'required' => true, <-- SHOULD BE HERE
'notEmpty' => array(
'rule' => 'notEmpty',
'message' => 'Your username is required.',
),
...
),
Rather than:
var $validate = array(
'username' => array(
'notEmpty' => array(
'rule' => 'notEmpty',
'message' => 'Your username is required.',
'required' => true, <!-- NOT HERE
),
'alphaNumeric' => array(
'rule' => 'alphaNumeric',
'message' => 'Your username can only use letters and numbers.',
'required' => true, <!-- AND NOT HERE, etc, etc
),
...
),
As in, that 'required' will technically need to be set on every rule
(which is not the default) so that you can get the "safe" setting.
Shouldn't it be the case that frameworks (or at least my
interpretation of them), should be safe by default, and you need to
explicitly tell them to disable security features in order to open
them up.
But then again... on the $this->Model->save() method... you can (and
should) pass in a "fieldList"... which is good for stopping hackers/
crackers adding additional fields (e.g. an "is_admin" field on a
generic user registration form), but that is just to limit the fields,
it doesn't seem to say "these are all the fields which will be
supplied, and if that field does not exist in the $data array, try to
validate it as an empty string".
Craig
On Jan 30, 8:03 am, John Andersen <j.andersen...@gmail.com> wrote:
> You did correctly, added the required => true attribute.
> Only when you want to update the other fields, as you state, then you
> should turn off the rules for username and password by:
>
> [code]
> unset($this->User->validate['username']);
> unset($this->User->validate['password']);
> rest of code, where you do your update.
> [/code]
>
> The above turns off the two validation rules for username and password
> so that you can save/update the other fields.
>
> Enjoy,
> John
>
> On Jan 29, 7:27 pm, Craig Francis <craig.fran...@gmail.com> wrote:
>
> > (Note: This is my first time using CakePHP).
>
> > I have a fairly simple user model, with validation along the lines of:
>
> > var $validate = array(
> > 'username' => array(
> > 'notEmpty' => array(
> > 'rule' => 'notEmpty',
> > 'message' => 'Your username is required.',
> > ),
> > 'alphaNumeric' => array(
> > 'rule' => 'alphaNumeric',
> > 'message' => 'Your username can only use letters and numbers.',
> > ),
> > 'between' => array(
> > 'rule' => array('between', 5, 15),
> > 'message' => 'Your username can only be between 5 to 15
> > characters.',
> > ),
> > 'isUnique' => array(
> > 'rule' => 'isUnique',
> > 'message' => 'Your username is already in use.',
> > ),
> > ),
> > 'password' => array(
> > 'minLength' => array(
> > 'rule' => array('minLength', 4),
> > 'message' => 'Your password must be at least 4 characters
> > long.',
> > ),
> > ),
> > 'repeat_password' => array(
> > 'repeat' => array(
> > 'rule' => array('checkRepeatPassword'),
> > 'message' => 'Your repeated password is not the same.',
> > ),
> > ),
> > 'name_first' => array('notempty'),
> > 'name_last' => array('notempty'),
> > );
>
> > And I have then been playing with the DOM inspector in my browser,
> > where I removed the password field (or changed the name attribute).
>
> > When I submitted the registration form (username, password,
> > repeat_password fields), only with the username value supplied... the
> > user account was created, bypassing the password validation and
> > leaving the password blank (should be more then 4 characters)...
> > admittedly this did cause a couple of undefined variables in the
> > checkRepeatPassword function, but didn't stop anything.
>
> > Anyway, I've been wondering how I can avoid this happening, where
> > someone editing the DOM could bypass the field validation.
>
> > I did try adding the "required" attribute via:
>
> > var $validate = array(
> > 'username' => array(
> > 'notEmpty' => array(
> > 'rule' => 'notEmpty',
> > 'message' => 'Your username is required.',
> > 'required' => true,
> > ),
> > ...
> > 'password' => array(
> > 'minLength' => array(
> > 'rule' => array('minLength', 4),
> > 'message' => 'Your password must be at least 4 characters
> > long.',
> > 'required' => true,
> > ),
> > ),
> > ...
>
> > Which seems to imply that the validation rules must be run (what I
> > want)... but then on the page where the user is able to change their
> > first/last name, the validation complains when the username and
> > password fields are not present (username should not be editable).
>
> > Craig
Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions.
You received this message because you are subscribed to the Google Groups "CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
No comments:
Post a Comment