Really grateful for your help. It is now working as I wanted it to didn't know it was this simple but I was thinking in this direction.
But I am having another problem in my cakephp application I have a function called addProfile I would like the function to be displayed to a user that has logged in and hasnt setup his profile but if he has set it up he should be directed to the Users Homepage. On Sep 3, 5:48 pm, andrewperk <andrewp...@gmail.com> wrote: > It's pretty simple, just use a conditional to compare the logged in > user's ID to the ID passed in to the URL. If it doesn't match then > they get redirected back to the edit page but this time passing in > their ID rather than the one they tried to use. This should ensure > only the current user can edit their current profile. Each time the > user enters in an ID when trying to access the edit page and that ID > doesn't match their ID they will get redirected. > > function edit($id = null) { > if (!$id && empty($this->data)) { > $this->Session->setFlash(__('Invalid profile', > true)); > $this->redirect(array('action' => 'index')); > } > // Check if the logged in user's id matches the passed > in id > // if not redirect to their edit page > if ($id != $this->Auth->user('id')) { > $this->redirect(array('action'=>'edit', > $this->Auth->user('id')); > > } > if (!empty($this->data)) { > if ($this->Profile->save($this->data)) { > $this->Session->setFlash(__('The > profile has been saved', true)); > $this->redirect(array('action' => > 'index')); > } else { > $this->Session->setFlash(__('The > profile could not be saved. > Please, try again.', true)); > } > } > if (empty($this->data)) { > $this->data = $this->Profile->read(null, $id); > } > $users = $this->Profile->User->find('list'); > $this->set(compact('users')); > } > > On Sep 2, 10:49 pm, tubiz <tayi...@gmail.com> wrote: > > > > > > > > > Thanks for your help. PLease I still cant restrict access to only the > > loggen in users details this is my edit code > > > function edit($id = null) { > > if (!$id && empty($this->data)) { > > $this->Session->setFlash(__('Invalid profile', > > true)); > > $this->redirect(array('action' => 'index')); > > } > > if (!empty($this->data)) { > > if ($this->Profile->save($this->data)) { > > $this->Session->setFlash(__('The profile > > has been saved', true)); > > $this->redirect(array('action' => 'index')); > > } else { > > $this->Session->setFlash(__('The profile > > could not be saved. > > Please, try again.', true)); > > } > > } > > if (empty($this->data)) { > > $this->data = $this->Profile->read(null, $id); > > } > > $users = $this->Profile->User->find('list'); > > $this->set(compact('users')); > > } > > > Would be very grateful if you can edit it to include what you wrote > > initially. > > Thanks > > > On Sep 3, 5:12 am, andrewperk <andrewp...@gmail.com> wrote: > > > > You need to scope the update to only update the logged in user. That > > > way when a user accesses the update action it will only allow them to > > > update their own account. > > > > For instance on the action to update a user fetch that user like so: > > > > public function update() { > > > // This sets the logged in user as the user to update > > > $this->User->id = $this->Auth->user('id'); > > > > Prepopulate form with logged in user details > > > if (empty($this->data)) { > > > $this->data = $this->User->read(); > > > } > > > // Save user > > > else { > > > if ($this->User->save($this->data)) { > > > $this->Session->setFlash('Update successful.', 'default', > > > array('class'=>'success')); > > > $this->redirect(array('action'=>'view', $this->Auth->user('id'))); > > > > } > > > // There was an error > > > else { > > > $this->Session->setFlash('Errors while updating:', 'default', > > > array('class'=>'error')); > > > } > > > } > > > > } > > > > If for some reason you need the functionality of passing in the user > > > ID to the update action then do a check to see if the id passed in > > > matches the logged in user, if not redirect and don't allow them to > > > edit. So you modify the code above to have an if: > > > > public function update($id = null) { > > > if ($id != $this->Auth->user('id')) { > > > // User is accessing someone else's profile, don't let them edit > > > $this->redirect(array('action'=>'index'); > > > > } > > > > // the rest of the update code below.. > > > > } > > > > On Sep 2, 11:55 am, tubiz <tayi...@gmail.com> wrote: > > > > > I have already setup the auth component and it is working perfectly. > > > > But I just discovered a problem. > > > > There are two users in my users table when I am login as one of the > > > > users I can access the other users details just by changing the i.d. > > > > This wouldnt be secure as a login user can access all the details of > > > > other users, > > > > Please how can I stop this so that a logged in user is only able to > > > > view his details only and not other users details. -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php