如何防止其他用户在cakephp3中编辑我的个人资料
[英]how to prevent other users to edit my profile in cakephp3
问题描述
I have simple program using cakephp3, when I try to directly put this into browser: 
当我尝试直接将其放入浏览器时,我有一个使用cakephp3的简单程序:
http://localhost/sample/users/edit/82 http:// localhost / sample / users / edit / 82
it directly goes to login page. 它直接进入登录页面。 Then after the login, my code still can edit the profile even that profile is not the current user login. 登录后,即使该配置文件不是当前用户登录名,我的代码仍然可以编辑该配置文件。
Below is my edit code 下面是我的编辑代码
public function edit($id = null)
{
$user = $this->Users->get($id, [
'contain' => []
]);
if ($this->request->is(['patch', 'post', 'put'])) {
$user = $this->Users->patchEntity($user, $this->request->data);
if ($this->Users->save($user)) {
$this->Flash->success(__('The user has been saved.'));
return $this->redirect(['action' => 'index']);
} else {
$this->Flash->error(__('The user could not be saved. Please, try again.'));
}
}
$this->set(compact('user'));
$this->set('_serialize', ['user']);
}
edit.ctp
<div class="actions columns large-2 medium-3">
<h3><?= __('Actions') ?></h3>
<ul class="side-nav">
<li><?= $this->Form->postLink(
__('Delete'),
['action' => 'delete', $user->id],
['confirm' => __('Are you sure you want to delete # {0}?',
$user->id)]
)
?></li>
<li><?= $this->Html->link(__('List Users'), ['action' => 'index']) ?>
</li>
</ul>
<div class="users form large-10 medium-9 columns">
<?= $this->Form->create($user) ?>
<fieldset>
<legend><?= __('Edit User') ?></legend>
<?php
echo $this->Form->input('username');
echo $this->Form->input('password');
?>
</fieldset>
<?= $this->Form->button(__('Submit')) ?>
<?= $this->Form->end() ?>
</div>
2 个解决方案
解决方案1
0 已采纳 2017-08-16 06:14:11
You have to check the existing user is trying to update his/her profile. 您必须检查现有用户是否正在尝试更新其个人资料。 You can do something like this. 你可以做这样的事情。
All this on top of your edit method 所有这些都在您的编辑方法之上
public function edit($id = null)
{
$logged_user_id=$this->Auth->user('id');
if($logged_user_id==$id){
$user = $this->Users->get($id, [
'contain' => []
]);
if ($this->request->is(['patch', 'post', 'put'])) {
$user = $this->Users->patchEntity($user, $this->request->data);
if ($this->Users->save($user)) {
$this->Flash->success(__('The user has been saved.'));
return $this->redirect(['action' => 'index']);
} else {
$this->Flash->error(__('The user could not be saved. Please, try again.'));
}
}
$this->set(compact('user'));
$this->set('_serialize', ['user']);
} else {
$this->Flash->error(__('You are not allowed to do this.'));
}
}
解决方案2
0 2017-08-16 13:36:20
In my case and like ndm say, i don't use session, that's what i do (hope it helps): 就我而言,就像ndm所说的,我不使用会话,这就是我所做的(希望它有所帮助):
public function edit($id = null)
{
if(!is_null($this->Auth->user())): // if the user is logged
if(is_null($id)) { $id = $this->Auth->user('id'); }
if($this->Auth->user()['group_id']<>1): // in my case group 1 is for the administrator group, i let them edit profile
$id = $this->Auth->user('id'); // in this case, if the user is not an administrator, id will always be his "user id"
endif;
endif;
if ($this->request->is(['patch', 'post', 'put'])) {
$user = $this->Users->patchEntity($user, $this->request->data);
if ($this->Users->save($user)) {
$this->Flash->success(__('The user has been saved.'));
return $this->redirect(['action' => 'edit', $id]);
}
$this->Flash->error(__('The user could not be saved. Please, try again.'));
}
$this->set(compact('user'));
$this->set('_serialize', ['user']);
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.