Cakephp2.0 URL ID can be changed to user make it so its not allowed

42 Views Asked by ryzzo11 At 07 February 2023 at 04:29

contorller- this is part where i am trying to figure out /form/edit/315 but i as a user can change to form/edit/316 and will see another users data. if anyone can that would be much appreciated!

if ($this->success === true) {

            $this->Form->set($this->request->data);

            if ($this->Session->id('id')!= $id) {

                $this->redirect(array('controller' => 
                                    'form', 'action' => 'home'));
                $this->Session->setFlash(__('Not allowed'));
            } else {

            }

for user not allow to access other users data by changing id in the url

Original Q&A

There are 1 best solutions below

ryzzo11 On 08 February 2023 at 03:39 BEST ANSWER

Figured it out !
Had to set form.id = user.id, so only the owner can see the task they created otherwise will send elsewhere

if ($this->success === true) {

    $Form = ClassRegistry::init('Form'); # Instantiation

    $existingTask = $Form->find('first', array(
        'conditions' => array(
            'Form.id'=> $id,
            'Form.user_id' => $this->Auth->user('id')
        ),
        'recursive' => -1
    ));
    
    if (empty($existingTask)){
        $this->redirect(array('controller' => 'form', 'action' => 'home'));
        $this->Flash->set('id not found');
    }

}

Cakephp2.0 URL ID can be changed to user make it so its not allowed

There are 1 best solutions below

Related Questions in PHP

Related Questions in CAKEPHP

Related Questions in CAKEPHP-2.0

Trending Questions

Popular # Hahtags

Popular Questions