0

I have a table object Users in a CakePHP 3.6 application that has a beforeFind callback like so:

public function beforeFind(Event $event, Query $query, $options = []) {
    $query->where(['Users.active']);

    return $query;
}

As you can see above, the intention here is to fetch only active users for all find queries. The problem I have is that for newly registered users (which are not active until they confirm their registration), the find query on the users table will not work because it will not return inactive users.

When people validate their registration I send them a code in the url. I would like to verify the request to see if the code parameter exists then I won't have to check only for active users like so:

public function beforeFind(Event $event, Query $query, $options = []) {
    if(code parameter does not exist) {
        $query->where(['Users.active']);
    }

    return $query;
}

But I don't know how to get the request parameter inside beforeFind in my UsersTable object.

Any help please?

user765368
  • 19,590
  • 27
  • 96
  • 167
  • You could pass it as an option from wherever you're doing the find? Does this exemption apply to *every* use of User queries? Seems like it could potentially be a way for people get around restrictions; hard to say since we don't know the context. – Greg Schmidt Mar 23 '20 at 21:20
  • For all search queries I want to get only active users. For new registration, users are not active yet, and this is the ONLY instance when i want to get users that are not active. – user765368 Mar 24 '20 at 01:11
  • So, there's some single controller action where you're willing to accept the code in the URL? Read it there, and pass it so that it comes in the `$options` array. If you always check in `beforeFilter` for the presence of the code in the query parameters, then someone could maliciously add a code to any URL referencing an action that accesses users, and thereby access all users, not just active ones. – Greg Schmidt Mar 24 '20 at 05:26

0 Answers0