tags:

views:

47

answers:

3
+3  Q: 

CakePHP: Make datafield admin-editable only

In my data model, I've got a field that should be admin-editable only. Normal users can edit records in the model and view this specific field, but they should not be able to edit it. Is there a simple/clean approach to do this? I guess that it's necessary to create an extra admin_edit controller action, but what's the best way to "lock" a data field in the controller?

+1  A: 

Depending on your setup, this could easily be handled as a validation method in the model. Write a custom function in the model to check if the user has permission.

You could also do it in model with beforeSave(). If the field is there and they don't have permission, remove it.

Codeacula  2010-10-01 13:21:29
+2  A: 

It's not necessary to create a new controller action, but you may decide so. Note that you can still use the same view for it using $this->render("edit") see: http://book.cakephp.org/view/428/render

I think you should:

  • use the same controller action, if that's not confusing for the users and admins
  • display an input field only if the user is admin, and output the text for other users
  • check for authorization in the controller
Adam  2010-10-01 13:52:08
A: 

you can simly check on the admin role in the edit view

if (hasRoleAdmin) {
 echo $this->Form->input(...);
}
mark  2010-10-01 19:14:19
This would be simple to realize, but it's not secure. *If* an evil user would supply a modified-by-hand HTTP POST request which contains this field, he could edit it nevertheless.
joni  2010-10-04 08:53:53
i was talking about roles SAVED in the session. if they would be insecure by themselves, no website in the world would be secure. but i guess you mean the POST part itself. didnt catch that right away. of course you always need to make sure that users cannot "save" more data then they should. but that has to be done in the controller right before calling save(). details: http://www.dereuromark.de/2010/09/21/saving-model-data-and-security/
mark  2010-10-04 22:57:07
thanks, that blog post seems useful for me. (It feels strange to communicate in English with a native speaker of your own language)
joni  2010-10-05 10:56:10

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases