Yeah, at first i didn't really relise what this was about.. But Euromark is right. Just make another function, to which normal users have access, and change the way it inputs fields. You can read from DB to see the old values and place them to be sure they haven't change, and only allowed ones to put from the form.
But interesting topic, until you asked I really didn't think of this in cake.. There is also another way that came across my mind for doing this. It's a little odd, but in odd situations odd solutions can be ok. If you have like 50 fileds in db which user shouldn't be able to change and 50 more which he should (raelly aqward situation but let's just say this is it for conversation purposes..), you could make 2 DB tables. First one is consisted of 50 allowed fields + 1 not allowed to change and the other is made of 50 forbiden fields. Logicaly, you have one on one or many on one relation from allowed to notallowd and that is the that +1 field. So you can set up function which changes those 50 allowed plus 1 not allowed fields , and check for only that one which is a connection to forbiden fields. So it is kinda boring, but at least you do not need to check for these 50 fields in your controller... I hope it helps a bit, and that you will make success in your project ! All the best ! Milos On Apr 3, 12:32 pm, euromark <dereurom...@googlemail.com> wrote: > i disagree with Milos in some points > but yes, the crucial point is that the main focus should be the server > side as far as security is concerned > > but besides that he proposes hacks that will not only make the code > less readable, it also opens the door for many > bugs and errors as well as bloating the model unnecessarily´. > > "if you didn't input required value > (if you even specified what types of character can be used), there is > no way you'll pass submitting" > actually, you will. what if the validation is only checking if the ID > is valid. you still could use the ID of any other user on the site. > and the security component will not be able to do anything against it. > > thats why all fields, that are not intended to be changed should be > excluded from being passed on to the model. > this way you can ensure that no harm can be done to them. > its easy, its short (compared to other solutions like milos), its > clean. > > On 3 Apr., 10:57, Miloš Vučinić <milosvuci...@gmail.com> wrote: > > > I just read smth. So one more comment :) Hope I am not borring you. If > > you are worried about primary key injection etc, you can always make > > rights to do stuff. You can have several functions for doing stuff. > > You can grab data in controller and see if somebody tried to enter a > > parameter which is not allowed for this kind of users. Like role_id > > etc, and if they are not null, you blok the save functions. > > > Eg. > > I have user controller, and I have 2 edit functions and by that 2 > > different forms. First one is for admins, and second one for users. In > > users function I check the data before calling model ($this->save($data)) > > and I see what is in that data. If I find smth I don't > > > want there I would not call the save data function... > > > I can't remember if I actually done that, but I think it is quite > > doable, because you have access to data var before calling the model.. > > > all the best :) > > > On Apr 3, 10:51 am, Miloš Vučinić <milosvuci...@gmail.com> wrote: > > > > And if you hate programming so many fields, just bake the add form for > > > the database table and change it the way you want.. baking takes like > > > a minute to finish . > > > :) > > > > I am no baking everything I can :) > > > > all the best > > > Milos > > > > On Apr 2, 9:26 pm, "Krissy Masters" <naked.cake.ba...@gmail.com> > > > wrote: > > > > > Right on. Was only curious since Security create a hash based on the > > > > fields > > > > I figured there must be some way to do the same thing and use it for > > > > whatever reason. > > > > > Thanks for the info all the same. > > > > > K > > > > > -----Original Message----- > > > > From: cake-php@googlegroups.com [mailto:cake-php@googlegroups.com] On > > > > Behalf > > > > > Of euromark > > > > Sent: Saturday, April 02, 2011 10:43 PM > > > > To: CakePHP > > > > Subject: Re: Euromark function guaranteeFields($requiredFields, $data = > > > > null) { > > > > > it is not possible > > > > > the controller has no direct link to the form helper > > > > especially not after a post (and therefore BEFORE the form is rendered > > > > again). > > > > controller + model are finished before the view even starts to render. > > > > > you would need to embed the keys as a hidden field in the form itself > > > > (+ hash etc to disallow any modifications). > > > > but then you could just as well use the security component and you > > > > would be already done. > > > > > so i dont see a point in that. > > > > i agree that it can be a pain in the but. > > > > in some rare occasions you could use blacklisting (especially if you > > > > only want to forbid 1 field of 50 allowed fields). > > > > in other occasions you would store those field names in a (long?) > > > > array in the model and simply use it in the controller > > > > $this->Model->allowedFieldsForEdit > > > > etc > > > > > either way linking the form helper / form inputs to the model logic > > > > can probably do more harm than good. > > > > i would think about which fields are allowed and manually pass them to > > > > the set/save methods. using the model arrays to store the fields will > > > > also ensure that after an update of the schema you got all field names > > > > in a single place. less likely you will forget to add/delete fields. > > > > > On 3 Apr., 00:51, "Krissy Masters" <naked.cake.ba...@gmail.com> wrote: > > > > > Sorry I think you missed my point. > > > > > Example: > > > > > I have a form with 50 fields. I would have to manually type out all > > > > > 50 if > > > > > they have to be in the form = pain > > > > > Im interested in grabbing all the field names the form has before its > > > > > rendered. Then use that in the function before saving > > > > > > beforeRender() / beforeFilter(){ > > > > > grab all the fields your form has before rendering it > > > > > > $form_fields = ??? somefunction to grab all your fields > > > > > > Then use an array / !in_array / arrys_keys to keep / exclude ones > > > > > that > > > > are > > > > > required to be there > > > > > > $required_fields = array_diff( array('optional', 'fields', 'here' > > > > > ),$form_fields); //something like that so you type out a few not all > > > > > type > > > > > thing > > > > > > } > > > > > > That's what I am wondering, if anyone knows how you could grab a list > > > > > of > > > > > fields in the form. > > > > > > Thanks, > > > > > > K > > > > > > -----Original Message----- > > > > > From: cake-php@googlegroups.com [mailto:cake-php@googlegroups.com] On > > > > Behalf > > > > > > Of cricket > > > > > Sent: Saturday, April 02, 2011 7:45 PM > > > > > To: cake-php@googlegroups.com > > > > > Subject: Re: Euromark function guaranteeFields($requiredFields, $data > > > > > = > > > > > null) { > > > > > > On Sat, Apr 2, 2011 at 3:10 PM, Krissy Masters > > > > > <naked.cake.ba...@gmail.com> wrote: > > > > > > Reading the bit about making fields required in a form so a user > > > > > > can not > > > > > > firebug them out and thought is there a way to manually grab the > > > > > > names > > > > of > > > > > > the fields in a form being rendered in the controller? > > > > > > Form might have 50 fields and you need them all, writing out all of > > > > > > that > > > > > > would be trauma. (but writing the names and updating the model in > > > > > > the > > > > > > future, spelling....so on) > > > > > > > Security component does something with all the names to makes it > > > > > > hash > > > > no? > > > > > > > Anyone have any ideas? Here is a link to his excellent idea incase > > > > anyone > > > > > > wants to read up on it. > > > > > > >http://www.dereuromark.de/2010/09/21/saving-model-data-and-security/ > > > > > > > secion => Protection against missing fields > > > > > > I think it would be best to use a class var in the model. > > > > > > $this->Model->set( > > > > > $this->data, > > > > > null, > > > > > $this->Model->required_fields > > > > > ); > > > > > > You could even have separate field lists for different actions: > > > > > > $this->Model->set( > > > > > $this->data, > > > > > null, > > > > > $this->Model->required_fields['edit'] > > > > > ); > > > > > > -- > > > > > Our newest site for the community: CakePHP Video > > > > Tutorialshttp://tv.cakephp.org > > > > > Check out the new CakePHP Questions sitehttp://ask.cakephp.organdhelp > > > > > others with their CakePHP related questions. > > > > > > To unsubscribe from this group, send email to > > > > > cake-php+unsubscr...@googlegroups.com For more options, visit this > > > > > group > > > > athttp://groups.google.com/group/cake-php > > > > > -- > > > > Our newest site for the community: CakePHP Video > > > > Tutorialshttp://tv.cakephp.org > > > > Check out the new CakePHP Questions sitehttp://ask.cakephp.organdhelp > > > > others with their CakePHP related questions. > > > > > To unsubscribe from this group, send email to > > > > cake-php+unsubscr...@googlegroups.com For more options, visit this > > > > group athttp://groups.google.com/group/cake-php -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
