Home/ Questions/Q 8113717
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-06T02:55:11+00:00

I have this in my Controller. public function delete($id) { if($this->request->is(‘get’)) { throw new

  • 0

I have this in my Controller.

public function delete($id) {
    if($this->request->is('get')) {
        throw new MethodNotAllowedException();
    }

    $this->Memberlist->id = $id;
    if (!$this->Memberlist->exists()) {
        throw new NotFoundException(__('Invalid list.'));
    }
    if ($this->Memberlist->delete()) {
        $this->Session->setFlash(__('List deleted.'), 'success');
        return $this->redirect(array('action'=>'index'));
    }
    $this->Session->setFlash(__('List was not deleted.'), 'error');
    return $this->redirect(array('action'=>'index'));
}

My Model looks like this: (belongsTo)

<?php

class Memberlist extends AppModel {
    public $name = 'Memberlist';
    public $belongsTo = array(
            'Account' => array(
            'className' => 'Account',
            'foreignKey' => 'account_id'
        )
    );

In one of my views, I have something like this:

echo $this->Form->postLink('Delete', 
                    array('action' => 'delete', $list['Memberlist']['id']),
                    array('class'=>'btn-mini btn', 'confirm' => 'Are you sure?'));

Which creates a HTML like this:

<form id="post_4fe15efc0d284" method="post" style="display:none;" name="post_4fe15efc0d284" action="/Grid/memberlists/delete/9">
<input type="hidden" value="POST" name="_method">
<input id="Token1627936788" type="hidden" value="8756f7ad21f3ab93dd6fb9a4861e3aed4496f3f9" name="data[_Token][key]">
<div style="display:none;">
</form>
<a class="btn-mini btn" onclick="if (confirm('Are you sure?')) { document.post_4fe15efc0d284.submit(); } event.returnValue = false; return false;" href="#">Delete</a>

The problem is that when I update the ID found in action="/Grid/memberlists/delete/9" using Firebug (or any developer tool), I can pretty much delete anything! Even from a different account. Even though I have the Security Component turned on.

What would be the proper way to do this? I am thinking of checking the account_id against the account_id of the currently logged-in user. But I am just curious if CakePHP has something out-of-the-box that fixes this issue?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    You could add beforeDelete callback into your model, and query database and check if user is allowed to delete record and or is he owner.

    • 0