Jump to content

Updating a profile via the front-end. Code check?


GuruMeditation
 Share

Recommended Posts

Hello all, I've come up with the following code to allow a user to update their profile information from the front end. It's part of some code that will allow them to edit other content too. I've decided to use URL Segments to help determine the page they are trying to edit, as well as their name etc.

So this piece of code will basically allow them to update their Display Name. I just now need to add a piece of code to save the updated data back to the user profile fields etc.

The code works as I would expect, and I know there will be more efficient ways of going about this, but this is easy for me to read as it is. So I'm basically here to ask whether or not this is an ok way to go about things? Is it secure? Can you see any major issues? Obviously I will add more profile fields etc, like e-mail, avatar pic, sex etc.

I guess I'm just lacking a bit of confidence on the security front. I don't want users to have their profile info hacked from my sloppy coding etc :undecided:

<?php 

  if($_POST['submit']) {
    echo "Form was submitted.";
    $new_display_name = $sanitizer->text($input->post->displayname);
    // The code to save the updated info for the profile will go here.
  }

  // Make sure the user has permission before showing the page to edit.
  if($user->hasPermission("edit_content")) {

    $edit_page = $input->urlSegment1;

    // The user is trying to edit their profile.
    if($edit_page == "profile") {
      if($user->name == $input->urlSegment2 or $user->isSuperuser()){

        $user_display_name = $user->user_display_name;
        ?>
        <form action='./' method='post'>
          <div class="row">
            <div class="large-12 columns">
              <label>Display Name
                <input type="text" maxlength="26" name="displayname" value="<?php echo $user_display_name; ?>" />
              </label>
            </div>
          </div>
          <div class="row">
            <div class="large-12 columns">
              <button type="submit" name="submit" value="Send">Update Profile</button>
            </div>
          </div>

        </form>
        <?php
      }
      else {
        echo "You cannot edit this profile.";
      }
    }
    elseif($edit_page == "link") {
      echo "You are editing the following link page: " . $input->urlSegment2;
    }

  }
  else {
    echo "You do not have permission to edit content.";
  }

Thanks in advance.

Link to comment
Share on other sites

Hey,

I notice you are using the "edit_content" permission for profile update. I have to ask: why? If the user is logged in, they can update their own profile just fine. Maybe you plan permissions for editing content? Cannot say for sure. This check would be enough:

if ($user->isLoggedIn() && $user->name == $input->urlSegment1)

// now you may update you profile, Mr. User

Don't forget to sanitize urlSegments, too. You can never be too paranoid with user input. Don't be politically correct with external data.

On a side note, You might want to keep an eye on a similar topic.

  • Like 4
Link to comment
Share on other sites

I do have one more question which I forgot to ask. Will it be safe to use $sanitizer->text($input->post->displayname) rather than $sanitizer->name($input->post->displayname) for the display name? The display name will only be used like it is on this forum. I'd like my users to be able to have spaces etc in their display names.

Link to comment
Share on other sites

Yes...use what is best for the job. $sanitizer->name is best for ProcessWire 'name' - Name is used to build the URL hence its formatting (of course you can use it if you require such formatting...) but in your case, text should be fine... :-)

  • Like 2
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...