Really grateful for your help. It is now working as I wanted it to
didn't know it was this simple but I was thinking in this direction.
But I am having another problem in my cakephp application I have a
function called addProfile I would like the function to be displayed
to a user that has logged in and hasnt setup his profile but if he has
set it up he should be directed to the Users Homepage.
On Sep 3, 5:48 pm, andrewperk <andrewp...@gmail.com> wrote:
> It's pretty simple, just use a conditional to compare the logged in
> user's ID to the ID passed in to the URL. If it doesn't match then
> they get redirected back to the edit page but this time passing in
> their ID rather than the one they tried to use. This should ensure
> only the current user can edit their current profile. Each time the
> user enters in an ID when trying to access the edit page and that ID
> doesn't match their ID they will get redirected.
>
> function edit($id = null) {
> if (!$id && empty($this->data)) {
> $this->Session->setFlash(__('Invalid profile',
> true));
> $this->redirect(array('action' => 'index'));
> }
> // Check if the logged in user's id matches the passed
> in id
> // if not redirect to their edit page
> if ($id != $this->Auth->user('id')) {
> $this->redirect(array('action'=>'edit',
> $this->Auth->user('id'));
>
> }
> if (!empty($this->data)) {
> if ($this->Profile->save($this->data)) {
> $this->Session->setFlash(__('The
> profile has been saved', true));
> $this->redirect(array('action' =>
> 'index'));
> } else {
> $this->Session->setFlash(__('The
> profile could not be saved.
> Please, try again.', true));
> }
> }
> if (empty($this->data)) {
> $this->data = $this->Profile->read(null, $id);
> }
> $users = $this->Profile->User->find('list');
> $this->set(compact('users'));
> }
>
> On Sep 2, 10:49 pm, tubiz <tayi...@gmail.com> wrote:
>
>
>
>
>
>
>
> > Thanks for your help. PLease I still cant restrict access to only the
> > loggen in users details this is my edit code
>
> > function edit($id = null) {
> > if (!$id && empty($this->data)) {
> > $this->Session->setFlash(__('Invalid profile',
> > true));
> > $this->redirect(array('action' => 'index'));
> > }
> > if (!empty($this->data)) {
> > if ($this->Profile->save($this->data)) {
> > $this->Session->setFlash(__('The profile
> > has been saved', true));
> > $this->redirect(array('action' => 'index'));
> > } else {
> > $this->Session->setFlash(__('The profile
> > could not be saved.
> > Please, try again.', true));
> > }
> > }
> > if (empty($this->data)) {
> > $this->data = $this->Profile->read(null, $id);
> > }
> > $users = $this->Profile->User->find('list');
> > $this->set(compact('users'));
> > }
>
> > Would be very grateful if you can edit it to include what you wrote
> > initially.
> > Thanks
>
> > On Sep 3, 5:12 am, andrewperk <andrewp...@gmail.com> wrote:
>
> > > You need to scope the update to only update the logged in user. That
> > > way when a user accesses the update action it will only allow them to
> > > update their own account.
>
> > > For instance on the action to update a user fetch that user like so:
>
> > > public function update() {
> > > // This sets the logged in user as the user to update
> > > $this->User->id = $this->Auth->user('id');
>
> > > Prepopulate form with logged in user details
> > > if (empty($this->data)) {
> > > $this->data = $this->User->read();
> > > }
> > > // Save user
> > > else {
> > > if ($this->User->save($this->data)) {
> > > $this->Session->setFlash('Update successful.', 'default',
> > > array('class'=>'success'));
> > > $this->redirect(array('action'=>'view', $this->Auth->user('id')));
>
> > > }
> > > // There was an error
> > > else {
> > > $this->Session->setFlash('Errors while updating:', 'default',
> > > array('class'=>'error'));
> > > }
> > > }
>
> > > }
>
> > > If for some reason you need the functionality of passing in the user
> > > ID to the update action then do a check to see if the id passed in
> > > matches the logged in user, if not redirect and don't allow them to
> > > edit. So you modify the code above to have an if:
>
> > > public function update($id = null) {
> > > if ($id != $this->Auth->user('id')) {
> > > // User is accessing someone else's profile, don't let them edit
> > > $this->redirect(array('action'=>'index');
>
> > > }
>
> > > // the rest of the update code below..
>
> > > }
>
> > > On Sep 2, 11:55 am, tubiz <tayi...@gmail.com> wrote:
>
> > > > I have already setup the auth component and it is working perfectly.
> > > > But I just discovered a problem.
> > > > There are two users in my users table when I am login as one of the
> > > > users I can access the other users details just by changing the i.d.
> > > > This wouldnt be secure as a login user can access all the details of
> > > > other users,
> > > > Please how can I stop this so that a logged in user is only able to
> > > > view his details only and not other users details.
--
Our newest site for the community: CakePHP Video Tutorials
http://tv.cakephp.org
Check out the new CakePHP Questions site http://ask.cakephp.org and help others
with their CakePHP related questions.
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com For more options, visit this group at
http://groups.google.com/group/cake-php
