防止编辑记录直接击中蛋糕php中的url

时间:2015-10-08 06:47:34

标签: php cakephp

如何防止用户直接在浏览器中访问url,以便他无法编辑这样的记录:

  

http://localhost/demo_cake/users/edit/7

我在控制器中的编辑代码如下所示,请提出任何建议:

  public function edit() {

    $id = $this->request->params['pass'][0];

    $this->User->id = $id;

    if( $this->User->exists() ){

        if( $this->request->is( 'post' ) || $this->request->is( 'put' ) ){

            if( $this->User->save( $this->request->data ) ){

                $this->Session->setFlash('User was edited.');

                $this->redirect(array('action' => 'index'));

            }else{
                $this->Session->setFlash('Unable to edit user. Please, try again.');
            }

        }else{

            $this->request->data = $this->User->read();
        }

    }else{

        $this->Session->setFlash('The user you are trying to edit does not exist.');
        $this->redirect(array('action' => 'index'));

    }
  }

的index.php 

<h2>Users</h2>

<!-- link to add new users page -->
<div class='upper-right-opt'>
    <?php echo $this->Html->link( '+ New User', array( 'action' => 'add' ) ); ?>
</div>

<table style='padding:5px;'>
    <!-- table heading -->
    <tr style='background-color:#fff;'>
        <th>ID</th>
        <th>Firstname</th>
        <th>Lastname</th>
        <th>Username</th>
        <th>Email</th>
        <th>Actions</th>
    </tr>

<?php


    //loop to show all retrieved records
    foreach( $users as $user ){

        echo "<tr>";
            echo "<td>{$user['User']['id']}</td>";
            echo "<td>{$user['User']['firstname']}</td>";
            echo "<td>{$user['User']['lastname']}</td>";
            echo "<td>{$user['User']['username']}</td>";
            echo "<td>{$user['User']['email']}</td>";

            //here are the links to edit and delete actions
            echo "<td class='actions'>";
                echo $this->Html->link( 'Edit', array('action' => 'edit', $user['User']['id']) );

                //in cakephp 2.0, we won't use get request for deleting records
                //we use post request (for security purposes)
                echo $this->Form->postLink( 'Delete', array(
                        'action' => 'delete', 
                        $user['User']['id']), array(
                            'confirm'=>'Are you sure you want to delete that user?' ) );
            echo "</td>";
        echo "</tr>";
    }
?>

</table>

3 个答案:

答案 0 :(得分:3)

通常,您会检查会话的用户ID是否与他尝试更改的记录的用户ID相同,或者会话的用户ID是否具有足够的权限,以便其他用户。< / p>

答案 1 :(得分:0)

类似这样的事情

<button type="submit" name="cmd_edit" value="id_here">Edit</button>

答案 2 :(得分:0)

您应该使用自己的isAuthorized(user=null){}功能,并检查用户是否具有足够的权限来执行此操作。看看Authorization (who’s allowed to access what)

相关问题
最新问题