I try to make a new blog. the admin and user logins works fine. My problem is whenever user make login ,he can access the other user iformation too. how to protect those files ??. thanks in advance
Try to add an attribute to your "Users" table, name this attribute "super_admin" and give it a "smallint" type with the size of 1 caracter so he can take only 1 or 0 as a value(Boolean).
The only thing you have to do is checking if the user is a SUPER ADMIN or Not.
For exemple:
$user=$this->request->session()->read('Auth')['User'];
if($user->super_admin == 0)//Not an Admin
{
//Do some stuffs
}
Don't forget to update your "Users" Model when you add the "super_admin" attribute.
For mor info please check AUTHENTIFICATION WITH CAKE PHP 3
GOOD LUCK :)
Related
I have the following workflow on a website:
Some user John Doe declares a company through form 1
(fields: name, head office location)
After John Doe submits (HTTP POST) form 1, he is redirected (HTTP 302) to company form 2 with additional legal information about the company.
The problem is, if John Doe hits the back button of his browser during step 2, he will land on the form 1, with data filled by the browser (using values he already submitted — that's what Firefox and major browsers seem to do).
John Doe might then think he can use this form to update some information (e.g. fix a typo in the name of the company) whereas he will actually create a new company doing so, as we don't know on the server side whether he wants to declare a new company or update the one he just created.
Do you know any simple solution to handle that problem ?
Use javascript/jquery script after the page is loaded to empty all the inputs. This will prevent confusion of "updating the company".
jQuery would look something like this:
$('#elementID').val('');
You can also handle the situation by manipulating the browser history
on load of form 2, and pass the CompanyId generated on submit of form 1 using querystring. So that you can actually update the company as the user
Suppose John submits form1.html, a unique CompanyId "1001" is generated and redirected to form2.html. Now on load of form2 you can modify the browser history form1.html?companyid=1001 using
var stateObj = { foo: "bar" };
history.pushState(stateObj, "page 1", "form1.html?companyid=1001");
Now, when the user click back button and submits the form1 again. you can check for companyid in querystring and update the company.
I think it is more user-friendly when user can return back to previous form and update it (instead preventing the described behavior).
I use in most cases similar way to handle described problem:
Let's assume that user is on the page /some-page, that contains "Create new company" button.
When the user opens this page, will be executed special method createOrFindCompanyDraft() on the server-side. This method creates new company "draft" record in DB (only for the current user). For example, draft record has primary key id=473. When you execute this method again it will return the same record with the id=473 (with "draft" status). "Draft" record should't display on any other interfaces.
And "Create new company" has link /company/common/473.
When user go to /company/common/473, you display form 1, that will be filled from "draft" record. At first time user will see empty form.
Technically user will update the existing record, but you can display "Create new company" title on the page.
Then user go to form 2, for example, /company/legal-info/473, you create similar draft record for the this form (similar to step 1).
When user submit the form 2, you will remove "draft" status from the record id=473 (and any related records).
Next time when user open page /some-page, will be created new draft record for the current user.
Browser history will contain:
/some-page
/company/common/473
/company/legal-info/473
/some-page2
I like this approach, because all form only update records. You can go to previous/next form many times (for example "Back"/"Forward" browser buttons). You can close browser, and open not completed forms tomorrow. This way doesn't require any additional manipulation with the browser history.
try this
<form autocomplete="off" ...></form>
And Another
Use temporary tables or session to store the Page 1 form data. If the page 2 form is submitted use the temporary data of page 1 which is stored in database or in session.
Use a Separate key (Hidden field ) in both page 1 and page 2.
Actually I thought of a trick to obtain that "create on first post, update after" behavior (just like the user thinks it should behave).
Let's say the step 1 form is at the URL /create_company/. Then I could have that page generate a random code XXX and redirect to /create_company/?token=XXX. When I create the company I save the information that it was created through page with token XXX (for instance, I save it in user's session as we don't need to keep that information forever) and when the form is submitted, if I know that a company was already generated using this token, I know the user used the same form instance and must have used the back button since the token would be different if he explicitly asked for another company.
What do you think ? (I initially thought there should be a simpler solution, as this seems a little bit over-engineered for such a simple issue)
This is more like a UX question.
I'd think that the solution lies within the information given to the user on that form, to help them understand what they're doing.
Set a title that says 'Create a company', for example, and set your submit button as 'Create Company' will help your user with that. Use a unique id when you create the company object, and pass the id back to the same URL in order to perform an update. You should then update your title and button that tells user that they are updating instead of creating.
In that sense I'd say it's better to use a more generic URL like /company and /company?id=12345.
You could also consider using Restful API protocol to help your server identifies the CRUD operation. http://www.restapitutorial.com/lessons/httpmethods.html
Without the "routing" part of django it is hard to help. I can just answer my experience from the express.js-router functionality:
you can specify a post on /company, which is for new users.
you can specify another route for post on /company/:companyid for a changing form
and as a response from the create-post you can redirect to the different location.
I am working on a small app using phalcon for php framework. I have implemented multiple controllers and models, but so far when I want to edit a user for example, i use a link that links to
localhost/myappname/User/edit/11 "user's id"
I was told this is not the best way to do this, and I am trying to do this without passing the id through the url, like using post method like in forms but without success so far.
Is this the only correct way to edit or delete an entry or it there something better?
I tried to search for the problem but couldn't figure how to name this question so I am yet to find an answered question.
If you don't want to let everyone access to edit page you can do this in a few ways.
Solution #1
You can use Phalcon ACL to block user's who has no permission to edit this page so only allowed people like managers can edit user or whatever.
See Access Control Lists ACL
Solution #2
You can crypt/decrypt user id so in URL it will not be readable by humans and then in edit method try to dectypt that id and if it is not a valid echo error.
<?php
use Phalcon\Crypt;
// Create an instance
$crypt = new Crypt();
$key = 'le password';
$user_id = 5;
$encrypt = $crypt->encryptBase64($user_id, $key);
// Use $encrypt for URL like Edit
// Use decrypt to get the real id of a user
$crypt->decryptBase64($encrypt, $key);
?>
In this way users will see URL something like
localhost/myappname/User/edit/nomGPPXd+gAEazAP8ERF2umTrfl9GhDw1lxVvf39sGKF34AFNzok31VdaT/OwADPPJ4XgaUNClQKrlc/2MfaXQ==
For more info see Encryption/Decryption
But my personal opinion is that it is better to go with ACL. After all ACL was made for that kind of things.
Note! If you want to use Encrypt/Decript remember to wrap decryption
in edit method in try/catch block and catch exception so you don't
get Error if someone tries to guess sone id.
Solution #3
If you still want to do that using POST then don't use Edit instead you can try something like:
<form method="POST">
<input type="hidden" name="uid" value="{{ user_id }}"/>
<button type="submit">Edit</button>
</form>
And then in edit method catch that id like:
<?php
$user_id = $this->request->getPost("uid");
?>
NOTE! In this way your URL will not contain user id but someone still
can POST another uid so you can try to hide that real user id even
from input type hidden. You can use again crypt/decrypt so input
hidden uid can be crypted and then decrypt post data in method.
you could use sessionStorage. It would store the value of the userId in the browser and be deleted as soon as they leave the page.
http://www.w3schools.com/html/html5_webstorage.asp
set on one page
sessionStorage.userId = 11;
access on another
var user = sessionStoarge.userId;
I would like to install on my website a «verefied account» feature. But I wondered what was the best way to get there, with MySQL and PHP?
I tried to put a column «verified», in witch I post the badge picture name (verified.png), but by doing it this way, users with no verified account saw the space occupied by the badge, with empty space with an X in the upper left corner.
So, any idea on the best way to achieve this?
Thanks!
You need to go deeper. You are missing huge part of web design and PHP.
What's the correct way too implement this?
1- Add a Boolean/Bit "Verified" Column 0/1
2- In your PHP page, you need a simple condition:
If(Column("Verified") == True) {
echo '<img src=\"verified.png\" />'
} else {
//Nothing!
}
Create a column verified_account in your users table. When you want to validate an account, you should add something like YES or NO to the proper user. Then, on your page, you only have to call something like:
SELECT verified_account FROM users WHERE ID = $session_id
IF verified_account = YES
echo = YOUR_IMAGE_HERE
you can try to add a row to your mysql database that is of type ENUM, and set it value to 0 if not verified, and 1 if verified. Then check the value of the ENUM for that particular user and if it is one, display the image.
While a record is edited,how should be the ID stored ? I could have a textbox with enabled false, but I don't like this approach.
In ASP.NET I used to have a property which has saved the value in viewstate(Actually a hidden field + encrypted value).
The only solution I found Is to use a hidden field. Is it save enough ?
Are there any others options ?
If you wish it to work in stateless mode, you need to add id to the url.
http://mywebsite/users/123/edit
Otherwise use the Session collection.
There is also the TempData collection to store data between two requests only. It may or may not be of use to you though.
P.S. Hidden field is also an option.
Is the ID auto-generated by SQL Server?
If yes, hiding this is an approach you can consider. Either you can hide it or remove it entirely.
We removed all the ID textboxes on our ASP.NET MVC Projects.
Cheers
It is save enough if you check permissions.
If a user is allowed to edit something with ID 1 and 2 nothing happens if he decides do change the ID. If he changes ID 1 to ID 2 it is the same as if he edits the dataset with ID 2 in the userinterface. If he tries to change the ID to 3 you have to block it ("You are not allowed to edit this dataset ...")
I need help to quickly add about >100 username and password to a locally installed Wordpress.
I have a list of usernames in text file, and I'd let each password to be equal to username (or someother function if equal is not allowed by Wordpress).
Is there a way I can programmatically add users to Wordpress? I have access to wordpress database if that helps.
Thanks.
If you don't want to use a plugin and you have your users and passwords stored in an array, simply throw it into a loop and use the 'wp_create_user' function. It takes 3 parameters (username, password and email). It will return the ID if successful and false if not.
http://codex.wordpress.org/Function_Reference/wp_create_user
Check out this plugin, it will let you import users from a csv which is basically what you're looking to do:
http://www.dagondesign.com/articles/import-users-plugin-for-wordpress/