I'm building a user panel, and having some problems with data validation. As an example, the page where you change your password (custom validation rule comparing string from two fields (password, confirm password)):
Route:
Router::connect('/profile/password', array('controller' => 'users', 'action' => 'profile_password'));
Controller:
function profile_password()
{
$this->User->setValidation('password'); // using the Multivalidatable behaviour
$this->User->id = $this->Session->read('Auth.User.id');
if (empty($this->data))
{
$this->data = $this->User->read();
} else {
$this->data['User']['password'] = $this->Auth->password($this->data['User']['password_change']);
if ($this->User->save($this->data))
{
$this->Session->setFlash('Edytowano hasło.', 'default', array('class' => 'success'));
$this->redirect(array('action' => 'profile'));
}
}
}
The problem is, that when I get to http://website.com/profile/password and mistype in one of the fields, the script goes back to http://website.com/users/profile_password/5 (5 being current logged users' id). When I type it correctly then it works, but I don't really want the address to change.
It seems that routes aren't supported by validation... (?) I'm using Cake 1.3 by the way.
Any help would be appreciated,
Paul
EDIT 1:
Changing the view from:
echo $form->create(
'User',
array(
'url' => array('controller' => 'users', 'action' => 'profile_password'),
'inputDefaults' => array('autocomplete' => 'off')
)
);
to:
echo $form->create(
'User',
array(
'url' => '/profile/password',
'inputDefaults' => array('autocomplete' => 'off')
)
);
does seem to do the trick, but that's not ideal.
Check the URL of the form in the profile_password.ctp view file.
Try the following code:
echo $this->Form->create('User', array('url' => array('controller' => 'users', 'action' => 'profile_password')));
Also, I think your form might be a little vulnerable. Try using Firebug or something similar to POST a data[User][id] to your action. If I'm right, you should be setting:
$this->data['User']['id'] = $this->Auth->user('id');
instead of:
$this->User->id = $this->Session->read('Auth.User.id');
because your id field is set in $this->data.
HTH.
Related
In my CakePHP application, I have applied Url validations so that admin can access only those actions which are defined for admin and same as with users.
In my application, "surveylist" is the action of admin and when any user directly access that action(surveylist), URL validations work(Unauthorized access msg is displayed).
But below that message ctp file of surveylist executes forcefully and show errors because I have validated URL through the try-catch block and it cannot get the set variables of action.
I want that ctp file should not execute if unauthorize error comes.
My code for surveylist is:-
public function surveylist($pg=null){
try{
if($this->checkPageAccess($this->params['controller'] . '/' . $this->params['action'])){
$this->Paginator->settings = array(
'Survey' => array(
'limit' => 5,
'order' => 'created desc',
'conditions'=>array('is_deleted'=> 0),
'page' => $pg
)
);
$numbers = $this->Paginator->paginate('Survey');
$this->set(compact('numbers'));
}else{
$this->Flash->set(__('Unauthorised access'));
}
}catch(Exception $e){
$this->Flash->set(__($e->getMessage()));
}
}
I don't want the ctp file of surveylist to execute if control comes to else.
Plz, help me out......
Thanx in advance...
I suppose you are using prefix to separate admin and users, if not please do that it is great way to handle and restrict methods.
After doing that you have to make condition to check which prefix(admin, user) is currently active and according that load Auth component and allow action in allow() method of Auth.
Example:
$this->loadComponent('Auth',[
/*'authorize' => [
'Acl.Actions' => ['actionPath' => 'controllers/']
],*/
'loginRedirect' => [
'controller' => 'Users',
'action' => 'index'
],
'authenticate' => [
'Form' => [
'fields' => [
'username' => 'email',
'password' => 'password'
]
]
],
'loginAction' => [
'controller' => 'Users',
'action' => 'login'
],
'unauthorizedRedirect' => [
'controller' => 'Users',
'action' => 'login',
'prefix' => false
],
'authError' => 'You are not authorized to access that location.',
]);
if ($this->request->params['prefix']=='admin') {
// Put actions you want to access to admin in allow method's array
$this->Auth->allow(array('add', 'edit', etc...));
} else if ($this->request->params['prefix']=='user') {
// Put actions you want to access to user in allow method's array
$this->Auth->allow(array('login', 'view', etc...));
}
This way you can restrict actions for particular role.
Hope this helps!
To the point, I'm trying to tighten up my code and stop repeating myself. It's a constant struggle, haha
In both my views and my controllers I am checking to see if the user is signed in. That is fine, but I would like to only have to check to see if the user is in the view and then display the right content.
Originally, in my controller, I'm seeing if the user is there and then if it is I load the same views with different varables. It seems a bit repetative.
public function recentStories(){
//This pulls back all the recent stories
if (empty($this->user)) {
$this->load->view('header_view', array(
'title' => 'Recent Stories',
));
$this->load->view('storyList_view', array(
'query' => $this->data_model->pullAllStories(),
));
$this->load->view('footer_view');
}else{
$this->load->view('header_view',array(
'user' => $this->users_model->getUser($this->user->user_id),
'title' => 'Recent Stories',
));
$this->load->view('storyList_view', array(
'query' => $this->data_model->pullAllStories(),
'admin' => $this->admin_model->pulladminRecent(),
'user' => $this->users_model->getUser($this->user->user_id),
));
$this->load->view('footer_view');
}
}
Ultimitly, I would like to reduce that chunk down to something like this.
public function recentStories(){
//This pulls back all the recent stories
$this->load->view('header_view',array(
'title' => 'Recent Stories',
));
$this->load->view('storyList_view', array(
'query' => $this->data_model->pullAllStories(),
'admin' => $this->admin_model->pulladminRecent(),
'user' => $this->users_model->getUser($this->user->user_id),
));
$this->load->view('footer_view');
}
but when I do reduce that code and take out the part that checks the user I am getting back an error saying that I'm trying to get property of a non-object. Obviously, that is talking about the user.
To try and fix this I have tried both
<?if(isset($user)){
user header code in here
}else{
non-user header code in here
}?>
and
<?if(!empty($user)){
user header code in here
}else{
non-user header code in here
}?>
both have returned back "Trying to get property of non-object" Any ideas would be much welcomed. I really don't like having excess code.
public function recentStories(){
// default values
$header_data = array('title' => 'Recent Stories');
$storyList_data = array('query' => $this->data_model->pullAllStories());
// extended data for logged user
if (!empty($this->user)) {
$header_data['user'] = $this->users_model->getUser($this->user->user_id);
$storyList_data['admin'] = $this->admin_model->pulladminRecent();
$storyList_data['user'] = $this->users_model->getUser($this->user->user_id);
}
// load your views
$this->load->view('header_view', $header_data);
$this->load->view('storyList_view', $storyList_data);
$this->load->view('footer_view');
}
then in your views check "if (isset($user)) {" etc.
I have two cakephp2 applications running on same database, but having different Auth tables and different $this->Auth->userModel values accordingly.
Authentication works well and users from one app can't log into other.
BUT.. as apps uses same CAKEPHP session cookie, this happens:
when user from app 'one' logs in, it can access any Auth protected action in app 'two'!
I will probably use different user roles and cookie names.
But still, why Auth component is ignoring Auth->userModel settings when checking the session? Is there a way to configure it to work right in this situation?
Thanks in advance for any suggestions.
If not configured otherwise, AuthComponent will write the authenticated user record to the Auth.User session key in CakePHP 2. But it can be changed:
AuthComponent::sessionKey
The session key name where the record of the current user is stored. If unspecified, it will be "Auth.User".
(In CakePHP 1.3 this was different: Auth.{$userModel name})
So, if your apps share a Session, which they do, if cookie name and Security.salt match, the logged in record will be shared.
There are two possibilities to solve this:
Separate the logins
Simply set a different AuthComponent::sessionKey for your two models. This will allow them to keep the logged in user separately
Separate the sessions
Configure different Cookie names and Salts for both apps, so their sessions cannot override each other. This is probably the cleaner solution, because it also covers the risk of other session keys being double-used.
I have a similar issue which is why I've started a bounty on this question. Basically I have a public facing part of the application which lets users login from one table and an administrative part of the application which lets admins login using a different table. My AppController looks something like this:
public $components = array(
'Session',
'Auth' => array(
'autoRedirect' => false,
'authenticate' => array(
'Form' => array(
'userModel' => 'User'
)
),
'loginAction' => array('controller' => 'users', 'action' => 'login'),
'loginRedirect' => array('controller' => 'users', 'action' => 'overview'),
'logoutRedirect' => array('controller' => 'users', 'action' => 'loggedout')
)
);
and I have another AdminController where I have this:
public $components = array(
'Session',
'Auth' => array(
'authenticate' => array(
'CustomForm' => array(
'userModel' => 'Admin'
)
),
'loginAction' => array('controller' => 'admin', 'action' => 'login'),
'loginRedirect' => array('controller' => 'admin', 'action' => 'index'),
'logoutRedirect' => array('controller' => 'home', 'action' => 'index')
)
);
But as mentioned in this question, sessions from the two don't get along and overwrite each other. What's the best way to overcome this?
Extend the Model/Datasource/Session/DatabaseSession.php session handler with something like MyDatabaseSession and overwrite the write and read methods. Maybe simply copy the existing code of both methods and add something like
'app_id' => Configure::read('App.appId')
to the read() conditions and do the same in the write method. And do not forget to add the field to your session database schema and to configure the session to use your handler.
<?php
App::uses('DatabaseSession', 'Model/Datasource/Session');
class ExtendedDatabaseSession extends DatabaseSession {
public function read($id) {
$row = $this->_model->find('first', array(
'conditions' => array(
'app_id' => Configure::read('App.appId'),
$this->_model->primaryKey => $id)));
if (empty($row[$this->_model->alias]['data'])) {
return false;
}
return $row[$this->_model->alias]['data'];
}
public function write($id, $data) {
if (!$id) {
return false;
}
$expires = time() + $this->_timeout;
$record = compact('id', 'data', 'expires');
$record[$this->_model->primaryKey] = $id;
$record['app_id'] = Configure::read('App.appId');
return $this->_model->save($record);
}
}
I do not know your app, so were you write the app id to the config data is up to you, bootstrap or beforeFilter() maybe. You should add it before the session gets initialized I think or you'll need to re-init the session or something. I leave it up to you to look the right point up. :)
I am trying to have a Checkbox "Agree TOS".
If the Checkbox is not checked, I want to put out a Flash Message.
How do I do this?
My View:
<?php
echo $form->create('Item', array('url' => array_merge(array('action' => 'find'), $this->params['pass'])));
echo $form->input('Search', array('div' => false));
echo $form->submit(__('Search', true), array('div' => false));
echo $form->checkbox('tos', array('label' => false, 'value'=>1)).' Agree TOS';
echo $form->error('tos');
echo $form->end();
?>
My Model:
var $check = array(
'tos' => array(
'rule' => array('comparison', 'equal to', 1),
'required' => true,
'allowEmpty' => false,
'on' => 'index',
'message' => 'You have to agree TOS'
));
This seems working for me. Hope it will help.
In model:
'tos' => array(
'notEmpty' => array(
'rule' => array('comparison', '!=', 0),
'required' => true,
'message' => 'Please check this box if you want to proceed.'
)
In view:
<?php echo $this->Form->input('tos', array('type'=>'checkbox', 'label'=>__('I confirm I have read the privacy statement.', true), 'hiddenField' => false, 'value' => '0')); ?>
Model
'agreed' => array(
'notempty' => array(
'rule' => array('comparison', '!=', 0),//'checkAgree',
'message' => ''You have to agree TOS'',
'allowEmpty' => false,
'required' => true,
'last' => true, // Stop validation after this rule
'on' => 'signup', // Limit validation to 'create' or 'update' operations
),
),
View
<?php echo $this->Form->input('agreed',array('value'=>'0'),array('type'=>'checkbox', 'label'=>'Agree to TOS')); ?>
basically, you add the rule "notEmpty" for this field to the public $validate array of the model.
this way an error will get triggered on Model->validates() if the checkbox has not been checked.
maybe some overhead in your case, but if you happen to use it more often try a DRY (dont repeat yourself) approach. you can also use a behavior for this to use this clean and without tempering too much with the model/controller:
// view form
echo $this->Form->input('confirmation', array('type'=>'checkbox', 'label'=>__('Yes, I actually read it', true)));
and in the controller action
// if posted
$this->Model->Behaviors->attach(array('Tools.Confirmable'=>array('field'=>'confirmation', 'message'=>'My custom message')));
$this->Model->set($this->data);
if ($this->Model->validates()) {
// OK
} else {
// Error flash message here
}
1.x:
https://github.com/dereuromark/tools/blob/1.3/models/behaviors/confirmable.php
for 2.x:
https://github.com/dereuromark/cakephp-tools/blob/2.x/Model/Behavior/ConfirmableBehavior.php
3.x: https://github.com/dereuromark/cakephp-tools/blob/master/src/Model/Behavior/ConfirmableBehavior.php
details:
http://www.dereuromark.de/2011/07/05/introducing-two-cakephp-behaviors/
I believe you need try save it into your model to catch your tos rules. I should do something like =
if(!$mymodel->save()){
// catch error tos.
}
$this->ModelName->invalidFields() returns an array of fields that failed validation.
You could try and search this for the tos field, and output a message if the key exists.
~untested (I'm not sure off the top of my head the exact structure of the invalidFields return array.
$failed_fields = $this->ModelName->invalidFields();
if(array_key_exists('tos', $failed_fields)) {
$this->Session->setFlash('Please accept the terms and conditions');
}
you don't even have to have validation rule for tos, just check that at the controller before saving the data.
if($this->data['Model']['tos']==1){
// save data
}else{
//set flash
}
I've been at this most of the day now, and I cannot get this working for the life of me (well I can get it 1/2 working but not fully correctly).
Basically, I am trying to use Validation on a search form field like so:
if(isset($search['ApplicantAge']) && !empty($search['ApplicantAge'])) {
if ($this->Plan->validates()) {
$ApplicantAge = $search['ApplicantAge'];
}
}
And here is my model code:
...
'ApplicantAge' => array(
'required' => true,
'allowEmpty' => false,
'rule' => 'numeric',
'message' => 'A valid Age is required. Please enter a valid Age.'),
...
The validation is working BUT when I enter a number (numeric), it displays my error! And when it's blank NO error displays, and when I enter letters it seems to work : ( ??
Does anyone know a trick to this odd behavior?
Try using the 'notEmpty' rule instead of the required/allowEmpty stuff.
'ApplicantAge' => array(
'applicant-age-numeric'=> array(
'rule' => 'numeric',
'message' => 'A valid Age is required. Please enter a valid Age.'
),
'applicant-age-not-empty'=> array(
'rule' => 'notEmpty',
'message' => 'This field cannot be left blank'
)
)
firstly why are you using the field 'ApplicantAge' when the conventions say its should be lower case under scored?
to answer your question the best way to do validation like that is http://book.cakephp.org/view/410/Validating-Data-from-the-Controller
the other option is to do $this->Model->save($data, array('validate' => 'only'));
The manual did not assist me at all : (
But your suggestion on the validate => only array seems to have done the trick. This is how I got it working:
plans_controller.php
if (isset($search['ApplicantAge'])) {
$this->Plan->save($search, array('validate' => 'only'));
if ($this->Plan->validates($this->data)) {
$ApplicantAge = $search['ApplicantAge'];
}
}
plan.php (model)
var $validate = array(
'ApplicantAge' => array(
'applicant-age-numeric' => array(
'rule' => 'numeric',
'message' => 'A valid Age is required. Please enter a valid Age.'),
'applicant-age-not-empty' => array(
'rule' => 'notEmpty',
'message' => 'This field cannot be left blank'),
),
Now, if no data is entered in the ApplicateAge field, the proper message is displayed. And if a non-numeric is entered, the correct message is also displayed.
This was a lot more challenging than I thought it would be!
For the record, I'll make a correction to my earlier accepted post. Little did I know the validate => only on the save() was actually still saving data to my plans table.
I was able to get it working using set(). Here is the code that completely solved the problem:
plans_controller.php
if (isset($search['ApplicantAge'])) {
$this->Plan->set($this->data);
if ($this->Plan->validates()) {
$ApplicantAge = $search['ApplicantAge'];
}
}
plan.php (model):
var $validate = array(
'ApplicantAge' => array(
'applicant-age-numeric' => array(
'rule' => 'numeric',
'message' => 'A valid Age is required. Please enter a valid Age.'),
'applicant-age-not-empty' => array(
'rule' => 'notEmpty',
'message' => 'This field cannot be left blank'),
)