我有使用cakephp3的简单程序,当我尝试将其直接放入浏览器时:
http://localhost/sample/users/edit/82
直接进入登录页面。然后在登录后,我的代码仍然可以编辑配置文件,即使该配置文件不是当前用户登录。
以下是我的编辑代码
public function edit($id = null)
{
$user = $this->Users->get($id, [
'contain' => []
]);
if ($this->request->is(['patch', 'post', 'put'])) {
$user = $this->Users->patchEntity($user, $this->request->data);
if ($this->Users->save($user)) {
$this->Flash->success(__('The user has been saved.'));
return $this->redirect(['action' => 'index']);
} else {
$this->Flash->error(__('The user could not be saved. Please, try again.'));
}
}
$this->set(compact('user'));
$this->set('_serialize', ['user']);
}
edit.ctp
<div class="actions columns large-2 medium-3">
<h3><?= __('Actions') ?></h3>
<ul class="side-nav">
<li><?= $this->Form->postLink(
__('Delete'),
['action' => 'delete', $user->id],
['confirm' => __('Are you sure you want to delete # {0}?',
$user->id)]
)
?></li>
<li><?= $this->Html->link(__('List Users'), ['action' => 'index']) ?>
</li>
</ul>
<div class="users form large-10 medium-9 columns">
<?= $this->Form->create($user) ?>
<fieldset>
<legend><?= __('Edit User') ?></legend>
<?php
echo $this->Form->input('username');
echo $this->Form->input('password');
?>
</fieldset>
<?= $this->Form->button(__('Submit')) ?>
<?= $this->Form->end() ?>
</div>
答案 0 :(得分:0)
您必须检查现有用户是否正在尝试更新他/她的个人资料。你可以这样做。
所有这些都在您的编辑方法之上
public function edit($id = null)
{
$logged_user_id=$this->Auth->user('id');
if($logged_user_id==$id){
$user = $this->Users->get($id, [
'contain' => []
]);
if ($this->request->is(['patch', 'post', 'put'])) {
$user = $this->Users->patchEntity($user, $this->request->data);
if ($this->Users->save($user)) {
$this->Flash->success(__('The user has been saved.'));
return $this->redirect(['action' => 'index']);
} else {
$this->Flash->error(__('The user could not be saved. Please, try again.'));
}
}
$this->set(compact('user'));
$this->set('_serialize', ['user']);
} else {
$this->Flash->error(__('You are not allowed to do this.'));
}
}
答案 1 :(得分:0)
在我的情况下,像ndm说,我不使用会话,这就是我做的(希望它有所帮助):
public function edit($id = null)
{
if(!is_null($this->Auth->user())): // if the user is logged
if(is_null($id)) { $id = $this->Auth->user('id'); }
if($this->Auth->user()['group_id']<>1): // in my case group 1 is for the administrator group, i let them edit profile
$id = $this->Auth->user('id'); // in this case, if the user is not an administrator, id will always be his "user id"
endif;
endif;
if ($this->request->is(['patch', 'post', 'put'])) {
$user = $this->Users->patchEntity($user, $this->request->data);
if ($this->Users->save($user)) {
$this->Flash->success(__('The user has been saved.'));
return $this->redirect(['action' => 'edit', $id]);
}
$this->Flash->error(__('The user could not be saved. Please, try again.'));
}
$this->set(compact('user'));
$this->set('_serialize', ['user']);
}