UpdateProfile Security - How do I lock certain fields from user input?

24,544 Posts

BobRay Reply #11, 13 years, 2 months ago

Quote from: Oleg at Feb 14, 2011, 05:10 AM

Thanks for the code, I’ll try it out. Git is still on my to-learn list, though .

Git is a stern mistress at first, but once you get used to it, you can’t live without it. wink

The guide is here: http://rtfm.modx.com/display/community/MODx+GitHub+Contributor%27s+Guide

You would be forking this repo: https://github.com/splittingred/Login rather than the modx repo (once you have a GitHub account, just go there and click on the Fork button), and then cloning it like this:

$ git clone [email protected]:YourGitUsername/Login.git
$ cd Login
$ git remote add upstream -f https://github.com/splittingred/Login.git

Of course you’d also have to have a Git client on your machine, which can be a challenge to set up, but you only have to do it once.

Did I help you? Buy me a beer
Get my Book: MODX:The Official Guide
MODX info for everyone: http://bobsguides.com/modx.html
My MODX Extras
Bob's Guides is now hosted at A2 MODX Hosting

☆ A M B ☆
91 Posts

Oleg Reply #12, 13 years, 2 months ago

Thanks for the info. I’ll give it a go after I get the code tested. I did install Git successfully on my Windows computer, and I even created a GitHub account, but I have yet to do anything with it grin

.

A quick note: I use extended fields, so I will modify your code slightly. Instead of &readOnly fields, I will use &allowedFields, and change it to if NOT in_array:

<?php
if (!empty($login->config['allowedFields'])) {
    $allow = explode(',', $login->config['allowedFields']);
    foreach ($fields as $k => $v) {
        if (!in_array($k, $allow) {
            unset $fields[$k];          
         }
    }
}

That way, users can’t just add a million extended fields. Not that someone would figure it out grin

, but you never know....

WebsiteZen.com - MODX and E-Commerce web development in the San Francisco Bay Area

24,544 Posts

BobRay Reply #13, 13 years, 2 months ago

I was thinking that most users would only want to restrict a small number of fields, but I see your point. You could have two parameters &allowedFields and &disallowedFields, but you’d have to make sure they weren’t both set and the code would get more complicated. As I said, I don’t use the snippet so it’s up to you.

[update] You should probably make sure that all fields are allowed if &allowedFields is empty.

Did I help you? Buy me a beer
Get my Book: MODX:The Official Guide
MODX info for everyone: http://bobsguides.com/modx.html
My MODX Extras
Bob's Guides is now hosted at A2 MODX Hosting

☆ A M B ☆
91 Posts

Oleg Reply #14, 13 years, 2 months ago

You have a point. Maybe the best compromise would be &disallowedFields for NON-extended fields and &allowedExtended for extended fields. That way, both can be used at once, and it would allow anyone who doesn’t use extended fields to avoid the extra hassle.

WebsiteZen.com - MODX and E-Commerce web development in the San Francisco Bay Area

24,544 Posts

BobRay Reply #15, 13 years, 2 months ago

Quote from: Oleg at Feb 14, 2011, 05:37 AM

You have a point. Maybe the best compromise would be &disallowedFields for NON-extended fields and &allowedExtended for extended fields. That way, both can be used at once, and it would allow anyone who doesn’t use extended fields to avoid the extra hassle.

If you do it that way, I would expect some confused and/or annoyed users. Personally, I would have both apply to all fields and just throw an error if the user sent both parameters (and allow all fields if neither was sent). Just my $.02.

Did I help you? Buy me a beer
Get my Book: MODX:The Official Guide
MODX info for everyone: http://bobsguides.com/modx.html
My MODX Extras
Bob's Guides is now hosted at A2 MODX Hosting