Re: Issues With Auth Component
Auth is NOT Access Control, It is simply authentication. No need to go rushing towards ACL. http://book.cakephp.org/view/1275/authorize $this-Auth-authorize = 'controller'; is a very acceptable configuration for authorisation, hence why it is probably the most commonly used. I find ACL overkill for most situations and many other people at CakeFest felt the same, although in the interests of fairness, a lot of people also confirmed they use ACL all the time. I agree with Paul, I actually don't use ACL on any of my projects as the authorize by controller action is sufficient for my projects and easier to maintain. I should have been clearer on my comment of if you don't really need full ACL. Thanks for pointing out the book ref. Morgan -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
Re: Issues With Auth Component
On Sep 6, 8:36 pm, LunarDraco mdc...@gmail.com wrote: Auth is NOT Access Control, It is simply authentication. No need to go rushing towards ACL. http://book.cakephp.org/view/1275/authorize $this-Auth-authorize = 'controller'; is a very acceptable configuration for authorisation, hence why it is probably the most commonly used. I find ACL overkill for most situations and many other people at CakeFest felt the same, although in the interests of fairness, a lot of people also confirmed they use ACL all the time. HTH, Paul -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
Re: Issues With Auth Component
Auth is NOT Access Control, It is simply authentication. You know the
user is real and has validated.
Access Control at a data level requires a bit more than Auth.
In general you can build up ACL (Access Control List) where you can
then control which data is visible to different request objects.
If you really don't need full ACL and you just want to limit the user
you can add a check against the Auth components current User id and
compare to the id they are trying to edit/view etc.
$this-Auth-user('id');
More info can be found here:
http://book.cakephp.org/view/1242/Access-Control-Lists
On Sep 2, 12:55 pm, tubiz tayi...@gmail.com wrote:
I have already setup the auth component and it is working perfectly.
But I just discovered a problem.
There are two users in my users table when I am login as one of the
users I can access the other users details just by changing the i.d.
This wouldnt be secure as a login user can access all the details of
other users,
Please how can I stop this so that a logged in user is only able to
view his details only and not other users details.
--
Our newest site for the community: CakePHP Video Tutorials
http://tv.cakephp.org
Check out the new CakePHP Questions site http://ask.cakephp.org and help others
with their CakePHP related questions.
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com For more options, visit this group at
http://groups.google.com/group/cake-php
Re: Issues With Auth Component
You should really look at modifying your auth() configuration so you
can move the authorisation work out of the controller actions and into
Controller::isAuthorized();
In your appController (if applying to whole app) you could do $this-
Auth-authorize = 'controller';
The you create an isAuthorized() action in each of your controllers
which runs after a user has been authenticated. In here you can run
any php code you want and return true if the user is allowed access to
the requested resource or false if not.
Book page:
http://book.cakephp.org/view/1275/authorize
HTH, Paul
@phpMagpie
On Sep 4, 1:55 pm, tubiz tayi...@gmail.com wrote:
Hi andrewperk am really grateful for you help so far. Thanks a lot
before I got the reply I was able to figure it out.
One last problem I am having is that if a user want to edit his
profile and the id field for the user in the profile table is 1 but
the value of the loggedin user id is 2 a user trying to edit his
profile wont be able to edit his profile instead he would be editing
the users whose id is 2 in the profile table because whenever a user
is trying to edit his profile I am passing the value of loggedin user
id from the user table.
Is there a way for me to edit a profile targeting the user_id in the
profile table instead of the id in the profile table.
On Sep 4, 3:15 am, andrewperk andrewp...@gmail.com wrote:
I can try to give you some tips on how to build your code and the
logic behind it.
I assume your user model has a (hasOne) relationship to the profile
model and the profile model has a (belongsTo) relationship to the User
model, right? A user can have a single profile. In the profiles table
there's a user_id field to relate that profile to a user.
You should then be able to do a check on the logged in user''s
associated profile to see if a profile even exists. You can do this by
looking in the profile table to see if one has a user_id field equal
to your logged in user's id. If you find a row with a user_id field
equal to your logged in user that means they have created a profile
already, if not, they don't have a profile. You would do something
like:
function addProfile() {
// Try to find a profile that belongs to the logged in user's ID
$profile = $this-Profile-findByUserId($this-Auth-user('id'));
// If it's not empty, that means the logged in user's profile was
found, so redirect out
if (!empty($profile)) {
$this-Session-setFlash(array('You already have a profile'));
$this-redirect(array('controller'='users',
'action'='index'));
}
// If they got here they don't have a profile, create a new one,
// your add a profile code goes here...
}
There might be a better way to check this, possibly through the User
model association but this was just off the top of my head and should
get you headed in the right direction.
On Sep 3, 2:27 pm, tubiz tayi...@gmail.com wrote:
Really grateful for your help. It is now working as I wanted it to
didn't know it was this simple but I was thinking in this direction.
But I am having another problem in my cakephp application I have a
function called addProfile I would like the function to be displayed
to a user that has logged in and hasnt setup his profile but if he has
set it up he should be directed to the Users Homepage.
On Sep 3, 5:48 pm, andrewperk andrewp...@gmail.com wrote:
It's pretty simple, just use a conditional to compare the logged in
user's ID to the ID passed in to the URL. If it doesn't match then
they get redirected back to the edit page but this time passing in
their ID rather than the one they tried to use. This should ensure
only the current user can edit their current profile. Each time the
user enters in an ID when trying to access the edit page and that ID
doesn't match their ID they will get redirected.
function edit($id = null) {
if (!$id empty($this-data)) {
$this-Session-setFlash(__('Invalid profile',
true));
$this-redirect(array('action' = 'index'));
}
// Check if the logged in user's id matches the passed
in id
// if not redirect to their edit page
if ($id != $this-Auth-user('id')) {
$this-redirect(array('action'='edit',
$this-Auth-user('id'));
}
if (!empty($this-data)) {
if ($this-Profile-save($this-data)) {
$this-Session-setFlash(__('The
profile has been saved', true));
$this-redirect(array('action' =
'index'));
} else {
$this-Session-setFlash(__('The
profile could not be saved.
Please, try
Re: Issues With Auth Component
Hi andrewperk am really grateful for you help so far. Thanks a lot
before I got the reply I was able to figure it out.
One last problem I am having is that if a user want to edit his
profile and the id field for the user in the profile table is 1 but
the value of the loggedin user id is 2 a user trying to edit his
profile wont be able to edit his profile instead he would be editing
the users whose id is 2 in the profile table because whenever a user
is trying to edit his profile I am passing the value of loggedin user
id from the user table.
Is there a way for me to edit a profile targeting the user_id in the
profile table instead of the id in the profile table.
On Sep 4, 3:15 am, andrewperk andrewp...@gmail.com wrote:
I can try to give you some tips on how to build your code and the
logic behind it.
I assume your user model has a (hasOne) relationship to the profile
model and the profile model has a (belongsTo) relationship to the User
model, right? A user can have a single profile. In the profiles table
there's a user_id field to relate that profile to a user.
You should then be able to do a check on the logged in user''s
associated profile to see if a profile even exists. You can do this by
looking in the profile table to see if one has a user_id field equal
to your logged in user's id. If you find a row with a user_id field
equal to your logged in user that means they have created a profile
already, if not, they don't have a profile. You would do something
like:
function addProfile() {
// Try to find a profile that belongs to the logged in user's ID
$profile = $this-Profile-findByUserId($this-Auth-user('id'));
// If it's not empty, that means the logged in user's profile was
found, so redirect out
if (!empty($profile)) {
$this-Session-setFlash(array('You already have a profile'));
$this-redirect(array('controller'='users',
'action'='index'));
}
// If they got here they don't have a profile, create a new one,
// your add a profile code goes here...
}
There might be a better way to check this, possibly through the User
model association but this was just off the top of my head and should
get you headed in the right direction.
On Sep 3, 2:27 pm, tubiz tayi...@gmail.com wrote:
Really grateful for your help. It is now working as I wanted it to
didn't know it was this simple but I was thinking in this direction.
But I am having another problem in my cakephp application I have a
function called addProfile I would like the function to be displayed
to a user that has logged in and hasnt setup his profile but if he has
set it up he should be directed to the Users Homepage.
On Sep 3, 5:48 pm, andrewperk andrewp...@gmail.com wrote:
It's pretty simple, just use a conditional to compare the logged in
user's ID to the ID passed in to the URL. If it doesn't match then
they get redirected back to the edit page but this time passing in
their ID rather than the one they tried to use. This should ensure
only the current user can edit their current profile. Each time the
user enters in an ID when trying to access the edit page and that ID
doesn't match their ID they will get redirected.
function edit($id = null) {
if (!$id empty($this-data)) {
$this-Session-setFlash(__('Invalid profile',
true));
$this-redirect(array('action' = 'index'));
}
// Check if the logged in user's id matches the passed
in id
// if not redirect to their edit page
if ($id != $this-Auth-user('id')) {
$this-redirect(array('action'='edit',
$this-Auth-user('id'));
}
if (!empty($this-data)) {
if ($this-Profile-save($this-data)) {
$this-Session-setFlash(__('The
profile has been saved', true));
$this-redirect(array('action' =
'index'));
} else {
$this-Session-setFlash(__('The
profile could not be saved.
Please, try again.', true));
}
}
if (empty($this-data)) {
$this-data = $this-Profile-read(null, $id);
}
$users = $this-Profile-User-find('list');
$this-set(compact('users'));
}
On Sep 2, 10:49 pm, tubiz tayi...@gmail.com wrote:
Thanks for your help. PLease I still cant restrict access to only the
loggen in users details this is my edit code
function edit($id = null) {
if (!$id empty($this-data)) {
$this-Session-setFlash(__('Invalid profile',
true));
Re: Issues With Auth Component
It's pretty simple, just use a conditional to compare the logged in
user's ID to the ID passed in to the URL. If it doesn't match then
they get redirected back to the edit page but this time passing in
their ID rather than the one they tried to use. This should ensure
only the current user can edit their current profile. Each time the
user enters in an ID when trying to access the edit page and that ID
doesn't match their ID they will get redirected.
function edit($id = null) {
if (!$id empty($this-data)) {
$this-Session-setFlash(__('Invalid profile',
true));
$this-redirect(array('action' = 'index'));
}
// Check if the logged in user's id matches the passed
in id
// if not redirect to their edit page
if ($id != $this-Auth-user('id')) {
$this-redirect(array('action'='edit', $this-
Auth-user('id'));
}
if (!empty($this-data)) {
if ($this-Profile-save($this-data)) {
$this-Session-setFlash(__('The
profile has been saved', true));
$this-redirect(array('action' =
'index'));
} else {
$this-Session-setFlash(__('The
profile could not be saved.
Please, try again.', true));
}
}
if (empty($this-data)) {
$this-data = $this-Profile-read(null, $id);
}
$users = $this-Profile-User-find('list');
$this-set(compact('users'));
}
On Sep 2, 10:49 pm, tubiz tayi...@gmail.com wrote:
Thanks for your help. PLease I still cant restrict access to only the
loggen in users details this is my edit code
function edit($id = null) {
if (!$id empty($this-data)) {
$this-Session-setFlash(__('Invalid profile', true));
$this-redirect(array('action' = 'index'));
}
if (!empty($this-data)) {
if ($this-Profile-save($this-data)) {
$this-Session-setFlash(__('The profile has
been saved', true));
$this-redirect(array('action' = 'index'));
} else {
$this-Session-setFlash(__('The profile
could not be saved.
Please, try again.', true));
}
}
if (empty($this-data)) {
$this-data = $this-Profile-read(null, $id);
}
$users = $this-Profile-User-find('list');
$this-set(compact('users'));
}
Would be very grateful if you can edit it to include what you wrote
initially.
Thanks
On Sep 3, 5:12 am, andrewperk andrewp...@gmail.com wrote:
You need to scope the update to only update the logged in user. That
way when a user accesses the update action it will only allow them to
update their own account.
For instance on the action to update a user fetch that user like so:
public function update() {
// This sets the logged in user as the user to update
$this-User-id = $this-Auth-user('id');
Prepopulate form with logged in user details
if (empty($this-data)) {
$this-data = $this-User-read();
}
// Save user
else {
if ($this-User-save($this-data)) {
$this-Session-setFlash('Update successful.', 'default',
array('class'='success'));
$this-redirect(array('action'='view', $this-Auth-user('id')));
}
// There was an error
else {
$this-Session-setFlash('Errors while updating:', 'default',
array('class'='error'));
}
}
}
If for some reason you need the functionality of passing in the user
ID to the update action then do a check to see if the id passed in
matches the logged in user, if not redirect and don't allow them to
edit. So you modify the code above to have an if:
public function update($id = null) {
if ($id != $this-Auth-user('id')) {
// User is accessing someone else's profile, don't let them edit
$this-redirect(array('action'='index');
}
// the rest of the update code below..
}
On Sep 2, 11:55 am, tubiz tayi...@gmail.com wrote:
I have already setup the auth component and it is working perfectly.
But I just discovered a problem.
There are two users in my users table when I am login as one of the
users I can access the other users details just by changing the i.d.
This wouldnt be secure as a login user can access all the details of
other users,
Please how can I stop this so that a logged in user is only able to
view his details only and not other users details.
--
Our newest site for the community:
Re: Issues With Auth Component
Really grateful for your help. It is now working as I wanted it to
didn't know it was this simple but I was thinking in this direction.
But I am having another problem in my cakephp application I have a
function called addProfile I would like the function to be displayed
to a user that has logged in and hasnt setup his profile but if he has
set it up he should be directed to the Users Homepage.
On Sep 3, 5:48 pm, andrewperk andrewp...@gmail.com wrote:
It's pretty simple, just use a conditional to compare the logged in
user's ID to the ID passed in to the URL. If it doesn't match then
they get redirected back to the edit page but this time passing in
their ID rather than the one they tried to use. This should ensure
only the current user can edit their current profile. Each time the
user enters in an ID when trying to access the edit page and that ID
doesn't match their ID they will get redirected.
function edit($id = null) {
if (!$id empty($this-data)) {
$this-Session-setFlash(__('Invalid profile',
true));
$this-redirect(array('action' = 'index'));
}
// Check if the logged in user's id matches the passed
in id
// if not redirect to their edit page
if ($id != $this-Auth-user('id')) {
$this-redirect(array('action'='edit',
$this-Auth-user('id'));
}
if (!empty($this-data)) {
if ($this-Profile-save($this-data)) {
$this-Session-setFlash(__('The
profile has been saved', true));
$this-redirect(array('action' =
'index'));
} else {
$this-Session-setFlash(__('The
profile could not be saved.
Please, try again.', true));
}
}
if (empty($this-data)) {
$this-data = $this-Profile-read(null, $id);
}
$users = $this-Profile-User-find('list');
$this-set(compact('users'));
}
On Sep 2, 10:49 pm, tubiz tayi...@gmail.com wrote:
Thanks for your help. PLease I still cant restrict access to only the
loggen in users details this is my edit code
function edit($id = null) {
if (!$id empty($this-data)) {
$this-Session-setFlash(__('Invalid profile',
true));
$this-redirect(array('action' = 'index'));
}
if (!empty($this-data)) {
if ($this-Profile-save($this-data)) {
$this-Session-setFlash(__('The profile
has been saved', true));
$this-redirect(array('action' = 'index'));
} else {
$this-Session-setFlash(__('The profile
could not be saved.
Please, try again.', true));
}
}
if (empty($this-data)) {
$this-data = $this-Profile-read(null, $id);
}
$users = $this-Profile-User-find('list');
$this-set(compact('users'));
}
Would be very grateful if you can edit it to include what you wrote
initially.
Thanks
On Sep 3, 5:12 am, andrewperk andrewp...@gmail.com wrote:
You need to scope the update to only update the logged in user. That
way when a user accesses the update action it will only allow them to
update their own account.
For instance on the action to update a user fetch that user like so:
public function update() {
// This sets the logged in user as the user to update
$this-User-id = $this-Auth-user('id');
Prepopulate form with logged in user details
if (empty($this-data)) {
$this-data = $this-User-read();
}
// Save user
else {
if ($this-User-save($this-data)) {
$this-Session-setFlash('Update successful.', 'default',
array('class'='success'));
$this-redirect(array('action'='view', $this-Auth-user('id')));
}
// There was an error
else {
$this-Session-setFlash('Errors while updating:', 'default',
array('class'='error'));
}
}
}
If for some reason you need the functionality of passing in the user
ID to the update action then do a check to see if the id passed in
matches the logged in user, if not redirect and don't allow them to
edit. So you modify the code above to have an if:
public function update($id = null) {
if ($id != $this-Auth-user('id')) {
// User is accessing someone else's profile, don't let them edit
$this-redirect(array('action'='index');
}
// the rest of the update code below..
}
Re: Issues With Auth Component
I can try to give you some tips on how to build your code and the
logic behind it.
I assume your user model has a (hasOne) relationship to the profile
model and the profile model has a (belongsTo) relationship to the User
model, right? A user can have a single profile. In the profiles table
there's a user_id field to relate that profile to a user.
You should then be able to do a check on the logged in user''s
associated profile to see if a profile even exists. You can do this by
looking in the profile table to see if one has a user_id field equal
to your logged in user's id. If you find a row with a user_id field
equal to your logged in user that means they have created a profile
already, if not, they don't have a profile. You would do something
like:
function addProfile() {
// Try to find a profile that belongs to the logged in user's ID
$profile = $this-Profile-findByUserId($this-Auth-user('id'));
// If it's not empty, that means the logged in user's profile was
found, so redirect out
if (!empty($profile)) {
$this-Session-setFlash(array('You already have a profile'));
$this-redirect(array('controller'='users',
'action'='index'));
}
// If they got here they don't have a profile, create a new one,
// your add a profile code goes here...
}
There might be a better way to check this, possibly through the User
model association but this was just off the top of my head and should
get you headed in the right direction.
On Sep 3, 2:27 pm, tubiz tayi...@gmail.com wrote:
Really grateful for your help. It is now working as I wanted it to
didn't know it was this simple but I was thinking in this direction.
But I am having another problem in my cakephp application I have a
function called addProfile I would like the function to be displayed
to a user that has logged in and hasnt setup his profile but if he has
set it up he should be directed to the Users Homepage.
On Sep 3, 5:48 pm, andrewperk andrewp...@gmail.com wrote:
It's pretty simple, just use a conditional to compare the logged in
user's ID to the ID passed in to the URL. If it doesn't match then
they get redirected back to the edit page but this time passing in
their ID rather than the one they tried to use. This should ensure
only the current user can edit their current profile. Each time the
user enters in an ID when trying to access the edit page and that ID
doesn't match their ID they will get redirected.
function edit($id = null) {
if (!$id empty($this-data)) {
$this-Session-setFlash(__('Invalid profile',
true));
$this-redirect(array('action' = 'index'));
}
// Check if the logged in user's id matches the passed
in id
// if not redirect to their edit page
if ($id != $this-Auth-user('id')) {
$this-redirect(array('action'='edit',
$this-Auth-user('id'));
}
if (!empty($this-data)) {
if ($this-Profile-save($this-data)) {
$this-Session-setFlash(__('The
profile has been saved', true));
$this-redirect(array('action' =
'index'));
} else {
$this-Session-setFlash(__('The
profile could not be saved.
Please, try again.', true));
}
}
if (empty($this-data)) {
$this-data = $this-Profile-read(null, $id);
}
$users = $this-Profile-User-find('list');
$this-set(compact('users'));
}
On Sep 2, 10:49 pm, tubiz tayi...@gmail.com wrote:
Thanks for your help. PLease I still cant restrict access to only the
loggen in users details this is my edit code
function edit($id = null) {
if (!$id empty($this-data)) {
$this-Session-setFlash(__('Invalid profile',
true));
$this-redirect(array('action' = 'index'));
}
if (!empty($this-data)) {
if ($this-Profile-save($this-data)) {
$this-Session-setFlash(__('The profile
has been saved', true));
$this-redirect(array('action' =
'index'));
} else {
$this-Session-setFlash(__('The profile
could not be saved.
Please, try again.', true));
}
}
if (empty($this-data)) {
$this-data = $this-Profile-read(null, $id);
}
$users = $this-Profile-User-find('list');
$this-set(compact('users'));
}
Issues With Auth Component
I have already setup the auth component and it is working perfectly. But I just discovered a problem. There are two users in my users table when I am login as one of the users I can access the other users details just by changing the i.d. This wouldnt be secure as a login user can access all the details of other users, Please how can I stop this so that a logged in user is only able to view his details only and not other users details. -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
Re: Issues With Auth Component
You need to scope the update to only update the logged in user. That
way when a user accesses the update action it will only allow them to
update their own account.
For instance on the action to update a user fetch that user like so:
public function update() {
// This sets the logged in user as the user to update
$this-User-id = $this-Auth-user('id');
Prepopulate form with logged in user details
if (empty($this-data)) {
$this-data = $this-User-read();
}
// Save user
else {
if ($this-User-save($this-data)) {
$this-Session-setFlash('Update successful.', 'default',
array('class'='success'));
$this-redirect(array('action'='view', $this-Auth-
user('id')));
}
// There was an error
else {
$this-Session-setFlash('Errors while updating:', 'default',
array('class'='error'));
}
}
}
If for some reason you need the functionality of passing in the user
ID to the update action then do a check to see if the id passed in
matches the logged in user, if not redirect and don't allow them to
edit. So you modify the code above to have an if:
public function update($id = null) {
if ($id != $this-Auth-user('id')) {
// User is accessing someone else's profile, don't let them edit
$this-redirect(array('action'='index');
}
// the rest of the update code below..
}
On Sep 2, 11:55 am, tubiz tayi...@gmail.com wrote:
I have already setup the auth component and it is working perfectly.
But I just discovered a problem.
There are two users in my users table when I am login as one of the
users I can access the other users details just by changing the i.d.
This wouldnt be secure as a login user can access all the details of
other users,
Please how can I stop this so that a logged in user is only able to
view his details only and not other users details.
--
Our newest site for the community: CakePHP Video Tutorials
http://tv.cakephp.org
Check out the new CakePHP Questions site http://ask.cakephp.org and help others
with their CakePHP related questions.
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com For more options, visit this group at
http://groups.google.com/group/cake-php
Re: Issues With Auth Component
Thanks for your help. PLease I still cant restrict access to only the
loggen in users details this is my edit code
function edit($id = null) {
if (!$id empty($this-data)) {
$this-Session-setFlash(__('Invalid profile', true));
$this-redirect(array('action' = 'index'));
}
if (!empty($this-data)) {
if ($this-Profile-save($this-data)) {
$this-Session-setFlash(__('The profile has
been saved', true));
$this-redirect(array('action' = 'index'));
} else {
$this-Session-setFlash(__('The profile could
not be saved.
Please, try again.', true));
}
}
if (empty($this-data)) {
$this-data = $this-Profile-read(null, $id);
}
$users = $this-Profile-User-find('list');
$this-set(compact('users'));
}
Would be very grateful if you can edit it to include what you wrote
initially.
Thanks
On Sep 3, 5:12 am, andrewperk andrewp...@gmail.com wrote:
You need to scope the update to only update the logged in user. That
way when a user accesses the update action it will only allow them to
update their own account.
For instance on the action to update a user fetch that user like so:
public function update() {
// This sets the logged in user as the user to update
$this-User-id = $this-Auth-user('id');
Prepopulate form with logged in user details
if (empty($this-data)) {
$this-data = $this-User-read();
}
// Save user
else {
if ($this-User-save($this-data)) {
$this-Session-setFlash('Update successful.', 'default',
array('class'='success'));
$this-redirect(array('action'='view', $this-Auth-user('id')));
}
// There was an error
else {
$this-Session-setFlash('Errors while updating:', 'default',
array('class'='error'));
}
}
}
If for some reason you need the functionality of passing in the user
ID to the update action then do a check to see if the id passed in
matches the logged in user, if not redirect and don't allow them to
edit. So you modify the code above to have an if:
public function update($id = null) {
if ($id != $this-Auth-user('id')) {
// User is accessing someone else's profile, don't let them edit
$this-redirect(array('action'='index');
}
// the rest of the update code below..
}
On Sep 2, 11:55 am, tubiz tayi...@gmail.com wrote:
I have already setup the auth component and it is working perfectly.
But I just discovered a problem.
There are two users in my users table when I am login as one of the
users I can access the other users details just by changing the i.d.
This wouldnt be secure as a login user can access all the details of
other users,
Please how can I stop this so that a logged in user is only able to
view his details only and not other users details.
--
Our newest site for the community: CakePHP Video Tutorials
http://tv.cakephp.org
Check out the new CakePHP Questions site http://ask.cakephp.org and help others
with their CakePHP related questions.
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com For more options, visit this group at
http://groups.google.com/group/cake-php
