The fields are not in the edit.ctp but using form injection a knowledgeable user could add them. Here are the fields in edit.ctp:
<?php echo $form->create('User');?> <fieldset> <legend><?php __('Edit');?> <?php __('User');?></legend> <?php echo $form->input('id'); echo $form->input('person_name_id'); echo $form->input('username'); echo $form->input('email'); ?> </fieldset> <?php echo $form->end('Submit');?> Running a simple test with the Web Developer plugin for Firefox, I was able to edit and post the form to update nologin. This was done by adding into the form the line: <input name="data[User][nologin]" value="1" id="UserNologin" type="checkbox"> and then checking the box and submitting the form. Gary Dalton On 9/14/07, RichardAtHome <[EMAIL PROTECTED]> wrote: > > I may be misunderstanding your query, but can't you just remove the > fields from edit.ctp ? > > Admin will still be able to change them in admin_edit.ctp > > On Sep 14, 4:42 pm, bujanga <[EMAIL PROTECTED]> wrote: > > I think my question is just the result of a Friday brainlock but anyway. > > > > Is there a cake way to prevent unwanted fields being inserted into an > > edit form post? > > * Admin user is allowed to set $nologin to TRUE or FALSE > > * but Manager user is only allowed to view it. > > * Manager user is however allowed to change other items on the User model > > * Admin submits via admin_edit.ctp > > * while Manager submits through edit.ctp. > > > > Normally, I would discard all unwanted values. I can certainly do this > > here but is there a cake specific way that I am missing? > > > > Gary Dalton > > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Cake PHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~----------~----~----~----~------~----~------~--~---