Re: Issues With Auth Component

Fri, 02 Sep 2011 21:12:42 -0700 

You need to scope the update to only update the logged in user. That
way when a user accesses the update action it will only allow them to
update their own account.

For instance on the action to update a user fetch that user like so:

public function update() {
  // This sets the logged in user as the user to update
  $this->User->id = $this->Auth->user('id');

    Prepopulate form with logged in user details
    if (empty($this->data)) {
      $this->data = $this->User->read();
    }
    // Save user
    else {
      if ($this->User->save($this->data)) {
        $this->Session->setFlash('Update successful.', 'default',
array('class'=>'success'));
        $this->redirect(array('action'=>'view', $this->Auth-
>user('id')));
      }
      // There was an error
      else {
        $this->Session->setFlash('Errors while updating:', 'default',
array('class'=>'error'));
      }
    }
}

If for some reason you need the functionality of passing in the user
ID to the update action then do a check to see if the id passed in
matches the logged in user, if not redirect  and don't allow them to
edit. So you modify the code above to have an if:

public function update($id = null) {
if ($id != $this->Auth->user('id')) {
  // User is accessing someone else's profile, don't let them edit
  $this->redirect(array('action'=>'index');
}

// the rest of the update code below..
}

On Sep 2, 11:55 am, tubiz <tayi...@gmail.com> wrote:
> I have already setup the auth component and it is working perfectly.
> But I just discovered a problem.
> There are two users in my users table when I am login as one of the
> users I can access the other users details just by changing the i.d.
> This wouldnt be secure as a login user can access all the details of
> other users,
> Please how can I stop this so that a logged in user is only able to
> view his details only and not other users details.

-- 
Our newest site for the community: CakePHP Video Tutorials 
http://tv.cakephp.org 
Check out the new CakePHP Questions site http://ask.cakephp.org and help others 
with their CakePHP related questions.


To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com For more options, visit this group at 
http://groups.google.com/group/cake-php

Reply via email to