stop field to being update in cakephp

Question

In my cake PHP application, I have a edit form where "email" field is readonly that means user can not update it. NOw if I think according to security point of view, user can update the field by 'firebug' or some other browser plugins.

I am using $this->User->save($this->data) to save the updated data. By this function Email can be also be updated.

Do we have any way in cake php so that I can prevent this field to be update, like by passing here a argument or something like this?

Answer 1

If security is a concern, simply reject any data that has unexpected values. In cake you could do this, but it can be adapted for any framework/cms

/**
 * Checks input array against array of expected values.
 *
 * Checks single dimension input array against array of expected values.
 * For best results put this is in app_controller.
 *
 * @param array $data - 1 dimensional array of values received from untrusted source
 * @param array $expected - list of expected fields
 * @return boolean - true if all fields are expected, false if any field is unexpected.
 */
protected function _checkInput($data,$expected){
  foreach(array_keys($data) as $key){
    if (!in_array($key,$expected)){
     return;
    }
  }
  return true;
}

/** 
 * edit method.
 * 
 * put this in <Model>_controller
 * @param string $id
 * @return void
 * @todo create errors controller to handle incorrect requests
 * @todo configure htaccess and Config/routes.php to redirect errors to errors controller
 * @todo setup log functionality to record hack attempts
 * @todo populate $expected with fields relevant to current model
 */ 
function edit($id=null){
  $expected = ('expectedVal1', 'expectedVal2');
  $this->Model->id = $id;
  if (!$this->Model->exists()) {
    throw new NotFoundException(__('Invalid model'));
  }
  if ($this->request->is('post')) {
    if (!$this->_checkData($this->request->data['Model'], $expected)) {
      //log the ip address and time
      //redirect to somewhere safe
      $this->redirect(array('controller'=>'errors','action'=>'view', 405);
    }
    if ($this->Model->save($this->request->data)) {
      //do post save routines
      //redirect as necessary
    }
    else {
      $this->Session->setFlash(__('The model could not be saved. Please, try again.'));
    }
  }
  $this->set('model',$this->Model->read($expected,$id));
}

Answer 2

You can use the security component and make the email hidden. While using this component, hidden fields cant be changed or cake will blackhole the form.

http://book.cakephp.org/1.3/en/view/1296/Security-Component

If your application is public it is strongly recommended that you use security, otherwise it is kinda trivial to inject data in your models by submitting extra fields on the form and when you do $this->Model->save($this->data)) the extra fields are saved, unless you do the extra work of validating every field of $this->data;

Answer 3

You can simply remove the email field from $this->data:

unset($this->data['User']['email']);
$this->User->save($this->data);

Answer 4

You could do something like:

$dontUpdateField = array('email');
$this->Model->save(
           $this->data, 
           true, 
           array_diff(array_keys($this->Model->schema()),$dontUpdateField)
);