Hey Chris, I think you've got a good point there. One solution I could think of is to do something like this: class PostsController extends AppController { var $name = 'Posts'; function update() { $post = $this->__limitFields($this->data['Post'], array('text', 'title')); } function __limitFields($fields, $allowed_fields) { foreach ($fields as $field => $val) { if (!in_array($field, $allowed_fields)) { unset($fields[$field]); } } return $fields; } } (didn't actually try it out, but I think you get the idea.). But still, this could leave some holes in older apps if they store critical data in tables that can be modified like this. Best Regards, Felix Geisendörfer Chris Renner schrieb: It just occurred to me that I've left a serious security hole in my recent cake apps. By blindly using $this->params['data'] in my save, I'm leaving a hole for users to change whatever fields they want to. I want to remind people about the potential for this, and see if the group has a more elegant way of solving it.Say for example I have a User model. Users need to be able to update their email address, etc., but I don't want them changing, say, the security_level field. So far, I've just used an edit form that contained inputs for email address, etc. but not for security_level. But (having just done it), it's easy for an html-savvy user to add an <input name="data[User][security_level]" /> and change it along with the rest of the data. Because my controller simply contains $this->User->save($this->params['data']) any field that's present in the form will be saved, including security_level. Now, this fix for this can be easy: in my action, unset those fields I don't want to be writable. But it seems like there must be better way to do it... based on user roles in the before_filter perhaps? Or even in the model? What's the philosophy here? Should controllers have unfettered access to all fields of a model, or should access be limited from the model? --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Cake PHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php -~----------~----~----~----~------~----~------~--~--- |
- Re: limiting what fields can be saved Felix Geisendörfer
- Re: limiting what fields can be saved Samuel DeVore
- Re: limiting what fields can be saved [EMAIL PROTECTED]
- Re: limiting what fields can be saved Felix Geisendörfer
- Re: limiting what fields can be saved [EMAIL PROTECTED]
- Re: limiting what fields can be saved Samuel DeVore
- Re: limiting what fields can be saved nate