CakePHP的避免登录用户访问其他用户的帐户 [英] cakephp avoid logged in users to access other user's account

问题描述

我正在开发使用CakePHP 1.3.7网络。一切都很好，我很喜欢它，但我只是来翻过，我无法弄清楚如何解决（可能是因为我的知识的缺乏）的问题。

I'm developing a web with CakePHP 1.3.7. Everything is going fine and I love it, but I just came accross a problem (probably because of my lack of knowledge) that I can't figure out how to fix.

这是我的问题：

在网站上，有典型的管理我的帐户区，在这里用户可以当他们登录的访问。在这方面，有调用在同一个'用户'控制器称为动作链接edit_items。因此，当一个用户进入 edit_items ，动作作为参数接收用户的标识（类似domain.com/users/edit_items/45，其中45是用户的ID ），以及示出了在表格中的信息。问题来了，如果我直接到浏览器的地址栏和更改45用于其他任何用户的ID，那么其他用户的信息也显示，即使该用户没有登录，这显然是一个很大的安全问题。

In the website, there's the typical 'manage my account' area, where users can only access when they're logged in. In this area, there's a link that calls to an action in the same 'users' controller called 'edit_items'. So when a user goes to edit_items, the action receives as a parameter the user's id (something like domain.com/users/edit_items/45, where 45 is the user's id), and shows the information in a form. The problem comes if I go directly to the address bar of the browser and change that 45 for any other user's Id, then the information of that other user is also shown, even if that user is not logged in. This is obviously a big security issue.

我一直在试图避免从验证组件传递用户的ID作为参数，并得到它（我使用的）是 $这个 - > Auth->用户（'身份证'）。无论出于何种原因，我可以读取记录用户的信息到表单很好，但是当我尝试保存表单上的变化，我得到一个错误，如果在保存的行动失败了，我有不知道为什么。

I've been trying to avoid passing the user's id as a parameter and getting it from the Auth component (which I'm using) with $this->Auth->User('id'). For whatever reason, I can read the logged user's info into the form fine, but when I try to save the changes on the form, I get an error as if the save action had failed, and I have no clue why.

有没有其他办法避免我的问题？还是要弄清楚为什么在保存返回错误？

Is there any other way to avoid my problem? Or to figure out why the save is returning an error?

谢谢！

修改

所以，问题来自于验证，这里的交易：当用户填写表单创建一个新的项目，也有一定的领域，其中一些带有验证规则的应用。但是，当用户回到编辑的项目，并不是所有的字段可编辑，只有一些。有没有可能，因为在创建项目时，需要验证某些字段不能进行编辑时用，导致错误？怎样才能避免呢？我可以更改验证规则仅适用于在修改操作？

SO the problem comes from the validation, here's the deal: when the user fills out the form to create a new item, there are certain fields, some of them with validation rules applied. However, when the user goes back to edit the item, not all the fields are editable, only some. Is it possible that, since some fields that required validation when creating the item are not available when editing, that causes the error? How can avoid that? Can I change the validation rules only for the edit action?

中发生的事情举例：创建一个项目时，该字段为 ITEM_NAME ，它应用了一些验证。当编辑的项目，它的名字不能被改变，所以它不是在编辑表单中。我相信这是什么可能会导致错误，也许是因为在 ITEM_NAME 丢失？

Example of what's happening: when creating an item,one of the fields is item_name, which has some validation applied to it. When editing the item, its name can not be changed, so it's not shown in the edit form. I believe this what may be causing the error, maybe because the item_name is missing?

推荐答案

您已打开正确的方向 - 通过USER_ID的网址是当用户需要编辑自己的信息是一个坏主意。

You are turned on the right direction - passing user_id on the url is a bad idea when the users need to edit their own details.

您可以使用下列内容：前实际保存表单时保存您可以将USER_ID传递到发布的数据。事情是这样的：

You can use following: when saving your form before the actual save you can pass the user_id to the posted data. Something like this:

if (!empty($this->data)) {
   $this->data['User']['id'] = $this->Auth->user('id');
   ... //Some extra stuff
   if ($this->User->save($this->data)) {
      ... //success
   } else {
      ... //error
   }
}

这种方式登录的用户将覆盖它自己的记录始终。检查你有你的模型的一些验证规则，给你这个错误。

This way the logged user will override it's own record always. Check if you have some validation rules in your model which give you this error.

这篇关于CakePHP的避免登录用户访问其他用户的帐户的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！