UpdateProfile Security - How do I lock certain fields from user input?

☆ A M B ☆
91 Posts

Oleg Reply #1, 13 years, 5 months ago

When using the UpdateProfile snippet, how can I prevent certain fields from being updated by the user? For example, I may want the "comment" field to be edited only by administrators. Creating a form with only a limited number of fields doesn’t work, since an HTML-savvy user can just submit extra values with the form, and these extra values are processed and inserted into the database.

WebsiteZen.com - MODX and E-Commerce web development in the San Francisco Bay Area

110 Posts

JRG Reply #2, 13 years, 4 months ago

I would be tempted to make a copy of the "UpdateProfile" snippet (from the Login extra) with a name of your choice and call it instead of the one provided. There is a section with the comment "/* handle validation */". Add code at an appropriate point to filter out fields you don’t want the user updating.

__________________
JRG

☆ A M B ☆
91 Posts

Oleg Reply #3, 13 years, 4 months ago

Great, thanks. Maybe I will add an option (such as "RestrictedToFields") and suggest it on GitHub. Git is on my to-learn list, so it will probably be a suggestion and not a push for now

.

WebsiteZen.com - MODX and E-Commerce web development in the San Francisco Bay Area

24,544 Posts

BobRay Reply #4, 13 years, 4 months ago

I’m not sure, but I think you could use a plugin attached to OnBeforeUserFormSave, check the inputs against the DB and undo any changes to fields that you don’t want edited.

Did I help you? Buy me a beer
Get my Book: MODX:The Official Guide
MODX info for everyone: http://bobsguides.com/modx.html
My MODX Extras
Bob's Guides is now hosted at A2 MODX Hosting

110 Posts

JRG Reply #5, 13 years, 4 months ago

Quote from: BobRay at Dec 29, 2010, 07:55 AM

I’m not sure, but I think you could use a plugin attached to OnBeforeUserFormSave, check the inputs against the DB and undo any changes to fields that you don’t want edited.

Any validation code increases processing load. Any code that has to double-check, increases that further. Any code that has to access the database, is apt to slow response times noticeably.

I’d suggest trying to impose the restriction in a way that prevents the update in the first place. Additionally, that might avoid opening security loop-holes.

Happy New Year everyone

__________________
JRG

☆ A M B ☆
91 Posts

Oleg Reply #6, 13 years, 3 months ago

I suggested in the bug tracker that an extra parameter be added to the snippet called &allowedFields=`fullname,favorite_color,etc...`.

This is probably a minor security issue, since if you didn’t want a user to change their username or email, they can currently do so if they added an email or username field via firebug or something.

WebsiteZen.com - MODX and E-Commerce web development in the San Francisco Bay Area

24,544 Posts

BobRay Reply #7, 13 years, 3 months ago

I don’t use that snippet, but if it has a Tpl chunk for the display, you could add this to the input fields:

readonly="readonly"

Did I help you? Buy me a beer
Get my Book: MODX:The Official Guide
MODX info for everyone: http://bobsguides.com/modx.html
My MODX Extras
Bob's Guides is now hosted at A2 MODX Hosting

☆ A M B ☆
91 Posts

Oleg Reply #8, 13 years, 3 months ago

But doesn’t that still allow people to modify it by modifying the HTML of the page before they submit the form?

The issue is that the UpdateProfile field accepts all POST parameters passed with the form, whether or not they were in the original form.

WebsiteZen.com - MODX and E-Commerce web development in the San Francisco Bay Area

24,544 Posts

BobRay Reply #9, 13 years, 3 months ago

Quote from: Oleg at Feb 14, 2011, 04:06 AM

But doesn’t that still allow people to modify it by modifying the HTML of the page before they submit the form?

The issue is that the UpdateProfile field accepts all POST parameters passed with the form, whether or not they were in the original form.

Yes, modifying UpdateProfile would be a better choice.

I think this would do it:

In the UpdateProfile snippet, change:

<?php
foreach ($fields as $k => $v) {
        $fields[$k] = str_replace(array('[',']'),array('[',']'),$v);
}

to something like this:

<?php
if (!empty($login->config['readOnly'])) {

    $ignore = explode(',', $login->config['readOnly']);

    foreach ($fields as $k => $v) {
        if (in_array($k, $ignore) {
             unset $fields[$k];
        }
    }
}

foreach ($fields as $k => $v) {
        $fields[$k] = str_replace(array('[',']'),array('[',']'),$v);
}

Combined with readonly="readonly" in the Tpl chunk, and a &readOnly parameter with a comma-separated list of restricted fields, that should protect the fields.

If you get that working, you could submit it as a pull request for the Login package.

Did I help you? Buy me a beer
Get my Book: MODX:The Official Guide
MODX info for everyone: http://bobsguides.com/modx.html
My MODX Extras
Bob's Guides is now hosted at A2 MODX Hosting

☆ A M B ☆
91 Posts

Oleg Reply #10, 13 years, 3 months ago

Thanks for the code, I’ll try it out. Git is still on my to-learn list, though

.

WebsiteZen.com - MODX and E-Commerce web development in the San Francisco Bay Area