The fields are not in the edit.ctp but using form injection a
knowledgeable user could add them. Here are the fields in edit.ctp:
<?php echo $form->create('User');?>
<fieldset>
<legend><?php __('Edit');?> <?php __('User');?></legend>
<?php
echo $form->input('id');
echo $form->input('person_name_id');
echo $form->input('username');
echo $form->input('email');
?>
</fieldset>
<?php echo $form->end('Submit');?>
Running a simple test with the Web Developer plugin for Firefox, I was
able to edit and post the form to update nologin. This was done by
adding into the form the line:
<input name="data[User][nologin]" value="1" id="UserNologin" type="checkbox">
and then checking the box and submitting the form.
Gary Dalton
On 9/14/07, RichardAtHome <[EMAIL PROTECTED]> wrote:
>
> I may be misunderstanding your query, but can't you just remove the
> fields from edit.ctp ?
>
> Admin will still be able to change them in admin_edit.ctp
>
> On Sep 14, 4:42 pm, bujanga <[EMAIL PROTECTED]> wrote:
> > I think my question is just the result of a Friday brainlock but anyway.
> >
> > Is there a cake way to prevent unwanted fields being inserted into an
> > edit form post?
> > * Admin user is allowed to set $nologin to TRUE or FALSE
> > * but Manager user is only allowed to view it.
> > * Manager user is however allowed to change other items on the User model
> > * Admin submits via admin_edit.ctp
> > * while Manager submits through edit.ctp.
> >
> > Normally, I would discard all unwanted values. I can certainly do this
> > here but is there a cake specific way that I am missing?
> >
> > Gary Dalton
>
>
> >
>
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "Cake
PHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
-~----------~----~----~----~------~----~------~--~---
