CODEWITHSUNDEEP
phpcakephp
user3653474
user3653474

Reputation: 3852

Prevent from editing record directly hitting url in cake php

How to prevent user from hitting url directly in browser so that he can't edit record like this:

http://localhost/demo_cake/users/edit/7

My edit code in controller is as given below, Please give any suggestions:

  public function edit() {

    $id = $this->request->params['pass'][0];

    $this->User->id = $id;

    if( $this->User->exists() ){

        if( $this->request->is( 'post' ) || $this->request->is( 'put' ) ){

            if( $this->User->save( $this->request->data ) ){

                $this->Session->setFlash('User was edited.');

                $this->redirect(array('action' => 'index'));

            }else{
                $this->Session->setFlash('Unable to edit user. Please, try again.');
            }

        }else{

            $this->request->data = $this->User->read();
        }

    }else{

        $this->Session->setFlash('The user you are trying to edit does not exist.');
        $this->redirect(array('action' => 'index'));

    }
  }

index.php

<h2>Users</h2>

<!-- link to add new users page -->
<div class='upper-right-opt'>
    <?php echo $this->Html->link( '+ New User', array( 'action' => 'add' ) ); ?>
</div>

<table style='padding:5px;'>
    <!-- table heading -->
    <tr style='background-color:#fff;'>
        <th>ID</th>
        <th>Firstname</th>
        <th>Lastname</th>
        <th>Username</th>
        <th>Email</th>
        <th>Actions</th>
    </tr>

<?php


    //loop to show all retrieved records
    foreach( $users as $user ){

        echo "<tr>";
            echo "<td>{$user['User']['id']}</td>";
            echo "<td>{$user['User']['firstname']}</td>";
            echo "<td>{$user['User']['lastname']}</td>";
            echo "<td>{$user['User']['username']}</td>";
            echo "<td>{$user['User']['email']}</td>";

            //here are the links to edit and delete actions
            echo "<td class='actions'>";
                echo $this->Html->link( 'Edit', array('action' => 'edit', $user['User']['id']) );

                //in cakephp 2.0, we won't use get request for deleting records
                //we use post request (for security purposes)
                echo $this->Form->postLink( 'Delete', array(
                        'action' => 'delete', 
                        $user['User']['id']), array(
                            'confirm'=>'Are you sure you want to delete that user?' ) );
            echo "</td>";
        echo "</tr>";
    }
?>

</table>

Upvotes: 0

Views: 568

Answers (3)

om1
om1

Reputation: 166

You should use your own isAuthorized(user=null){} function and check if the user has the sufficient rights do fulfill this Operation. Have a look at Authorization (who’s allowed to access what).

Upvotes: 0

Julio Soares
Julio Soares

Reputation: 1190

Normally you would check if the session's user id is the same user id of the record he is trying to change or if the session's user id has enough privileges to do so to other users.

Upvotes: 3

Sam Teng Wong
Sam Teng Wong

Reputation: 2439

something like this

<button type="submit" name="cmd_edit" value="id_here">Edit</button>

Upvotes: 0

Related Questions