Jump to content
GuruMeditation

Updating a profile via the front-end. Code check?

Recommended Posts

Hello all, I've come up with the following code to allow a user to update their profile information from the front end. It's part of some code that will allow them to edit other content too. I've decided to use URL Segments to help determine the page they are trying to edit, as well as their name etc.

So this piece of code will basically allow them to update their Display Name. I just now need to add a piece of code to save the updated data back to the user profile fields etc.

The code works as I would expect, and I know there will be more efficient ways of going about this, but this is easy for me to read as it is. So I'm basically here to ask whether or not this is an ok way to go about things? Is it secure? Can you see any major issues? Obviously I will add more profile fields etc, like e-mail, avatar pic, sex etc.

I guess I'm just lacking a bit of confidence on the security front. I don't want users to have their profile info hacked from my sloppy coding etc :undecided:

<?php 

  if($_POST['submit']) {
    echo "Form was submitted.";
    $new_display_name = $sanitizer->text($input->post->displayname);
    // The code to save the updated info for the profile will go here.
  }

  // Make sure the user has permission before showing the page to edit.
  if($user->hasPermission("edit_content")) {

    $edit_page = $input->urlSegment1;

    // The user is trying to edit their profile.
    if($edit_page == "profile") {
      if($user->name == $input->urlSegment2 or $user->isSuperuser()){

        $user_display_name = $user->user_display_name;
        ?>
        <form action='./' method='post'>
          <div class="row">
            <div class="large-12 columns">
              <label>Display Name
                <input type="text" maxlength="26" name="displayname" value="<?php echo $user_display_name; ?>" />
              </label>
            </div>
          </div>
          <div class="row">
            <div class="large-12 columns">
              <button type="submit" name="submit" value="Send">Update Profile</button>
            </div>
          </div>

        </form>
        <?php
      }
      else {
        echo "You cannot edit this profile.";
      }
    }
    elseif($edit_page == "link") {
      echo "You are editing the following link page: " . $input->urlSegment2;
    }

  }
  else {
    echo "You do not have permission to edit content.";
  }

Thanks in advance.

Share this post


Link to post
Share on other sites

Hey,

I notice you are using the "edit_content" permission for profile update. I have to ask: why? If the user is logged in, they can update their own profile just fine. Maybe you plan permissions for editing content? Cannot say for sure. This check would be enough:

if ($user->isLoggedIn() && $user->name == $input->urlSegment1)

// now you may update you profile, Mr. User

Don't forget to sanitize urlSegments, too. You can never be too paranoid with user input. Don't be politically correct with external data.

On a side note, You might want to keep an eye on a similar topic.

  • Like 4

Share this post


Link to post
Share on other sites

I do have one more question which I forgot to ask. Will it be safe to use $sanitizer->text($input->post->displayname) rather than $sanitizer->name($input->post->displayname) for the display name? The display name will only be used like it is on this forum. I'd like my users to be able to have spaces etc in their display names.

Share this post


Link to post
Share on other sites

Yes...use what is best for the job. $sanitizer->name is best for ProcessWire 'name' - Name is used to build the URL hence its formatting (of course you can use it if you require such formatting...) but in your case, text should be fine... :-)

  • Like 2

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.

  • Similar Content

    • By NorbertH
      When saving a page with the "order" template in the backend  IftRunner is nice to me and sends the order via page action into my accounting software. 
      When saving "order" in a frontend page it does nothing.   So i certainly missing something . Any ideas? 
       
    • By SwimToWin
      ProcessWire is setting a "wires" cookie for each guest session.
      Is it possible drop that cookies, so there are no cookies at all for guests?
      That way, I don't need to spam the user with a cookie consent box.
      I don't need cookies for user preferences and marketing purposes.
      (Why are cookies being set by default in the first place?)
    • By ridgedale
      Reference: PW 3.0.111 and uikit3 based site using the Regular-Master profile.
      Despite my searches of the forum I'm somewhat confused about how to create new child pages on the frontend when a user clicks on a button on the parent page. I also have an equivalent button that is intended for uploading a .csv file to automatically create multiple new pages. This basically relates to a club (parent) and members (child) template configuration. Hopefully this explanation makes sense.
      A button should be able to launch the code needed to initiate the script required to create a new page using something like:
      <a href="/path/page.php">New +</a> <a href="/path/page.php">New ++</a> Does the code to create the new page or new pages need to be run from the template file for the child or the parent?
      A new individual member page will need to be editable manually at the point of page creation as well as subsequently, whereas multiple new pages will need to be editable after they have created and populated with data, again, as well as subsequently.
      I would very grateful for any advice or pointers as to how to achieve this.
       
    • By ridgedale
      Reference: PW 3.0.111 and uikit3 based site using the Regular-Master profile.
      I've setup a page where a member can edit contact details via the frontend displaying the field content using the <edit> ... </edit> tags.
      This works fine when the fields actually contain data. However fields that contain no data (i.e. empty) do not appear to be editable. No edit cursor appears (- possibly owing to the field width being 0px?)
      Is the only solution to recreate the page using a form, for example,  or is there a simple way to allow blank fields to be editable on the frontend?
      I wondered if anyone else has found a solution to this problem. Any assistance would be appreciated.
    • By cosmicsafari
      Hi all,
      This is my first foray into a multi lingual PW site, what i'm unsre about is whether the frontend output is translated automatically or do I have to provide the content in another language also?
      As it stands I have installed the following modules:

      And have created and uploaded the Chinese language pack.

      At this point I can successfully change my profile and the backend successfully displays in Chinese.
      However I am confused about how I now get that translation to work on the frontend?
      I have setup the alternative url for the page I wish to view in Chinese

      So as a basic test I tried adding the following into the template used for the page above.

      However both urls still display the message in English?
      I take it I have missed something, do I then need to enter the frontend output in Chinese in another field within the backend to enable Chinese url to output the content?
      Any ideas would be greatly appreciated.
       
×
×
  • Create New...