如何防止用户在浏览器中直接点击url,这样他就不能像这样编辑记录:
http://localhost/demo_cake/users/edit/7
我在控制器中的编辑代码如下,请给出建议:
public function edit() {
$id = $this->request->params['pass'][0];
$this->User->id = $id;
if( $this->User->exists() ){
if( $this->request->is( 'post' ) || $this->request->is( 'put' ) ){
if( $this->User->save( $this->request->data ) ){
$this->Session->setFlash('User was edited.');
$this->redirect(array('action' => 'index'));
}else{
$this->Session->setFlash('Unable to edit user. Please, try again.');
}
}else{
$this->request->data = $this->User->read();
}
}else{
$this->Session->setFlash('The user you are trying to edit does not exist.');
$this->redirect(array('action' => 'index'));
}
}
index . php
<h2>Users</h2>
<!-- link to add new users page -->
<div class='upper-right-opt'>
<?php echo $this->Html->link( '+ New User', array( 'action' => 'add' ) ); ?>
</div>
<table style='padding:5px;'>
<!-- table heading -->
<tr style='background-color:#fff;'>
<th>ID</th>
<th>Firstname</th>
<th>Lastname</th>
<th>Username</th>
<th>Email</th>
<th>Actions</th>
</tr>
<?php
//loop to show all retrieved records
foreach( $users as $user ){
echo "<tr>";
echo "<td>{$user['User']['id']}</td>";
echo "<td>{$user['User']['firstname']}</td>";
echo "<td>{$user['User']['lastname']}</td>";
echo "<td>{$user['User']['username']}</td>";
echo "<td>{$user['User']['email']}</td>";
//here are the links to edit and delete actions
echo "<td class='actions'>";
echo $this->Html->link( 'Edit', array('action' => 'edit', $user['User']['id']) );
//in cakephp 2.0, we won't use get request for deleting records
//we use post request (for security purposes)
echo $this->Form->postLink( 'Delete', array(
'action' => 'delete',
$user['User']['id']), array(
'confirm'=>'Are you sure you want to delete that user?' ) );
echo "</td>";
echo "</tr>";
}
?>
</table>
通常情况下,您将检查会话的用户id是否与他试图更改的记录的用户id相同,或者会话的用户id是否有足够的权限对其他用户执行此操作。
像这样
<button type="submit" name="cmd_edit" value="id_here">Edit</button>
您应该使用您自己的isAuthorized(user=null){}功能,并检查用户是否具有足够的权限来执行此操作。看一下授权(谁被允许访问什么)。