How to secure UPDATE action in CakePHP?

Question

I would like to avoid UPDATE security problem in my multi-user CakePHP application. I'll illustrate it on this simple example. There is a simple edit method such this:

 public function edit($id)
    {

        if ($this->request->is('post')) {    
           $updated = $this->Template->save($this->request->data);    
           // Do some logic here...    
        }

        $this->request->data = $this->Template->find('first', array('conditions' => array('Template.id' => $id)));

    }

Problem: when somebody modifies POST data and change ID (PK of the record) CakePHP will modify record of another user. I would like to secure condition and update record that is defined by two conditions - its PK AND user id (owner, logged in user).

There is a model method updateAll() that accepts an array with UPDATE ... WHERE conditions but this method is not so easy to use as save() method, because it requires data array in different structure than save() method and I have to modify $this->request->data into appropriate structure and do escaping string values.

I had an idea to SELECT an appropriate record with two conditions (PK and owner id) before update is executed, but I don't like this because one more database operation.

Is there some another method or workaround how to secure UPDATE operation in CakePHP applications?

Answer 1

Just load the Security Component, like this:

CakePHP 3

use App\Controller\AppController;
use Cake\Event\Event;

class TemplatesController extends AppController
{
    public function initialize()
    {
        parent::initialize();
        $this->loadComponent('Security');
    }
}

Read more here: CakePHP Security - form tampering prevention

CakePHP 2

<?php
class TemplateController extends AppController {

public $components = array('Security');

}

Read more here CakePHP Security