response handling

[nithiz]

Since validation is taken care of in the plugin itself, is it not very easy to just do the following to fake the validation?

<form method="POST" action=/users/opauth_complete">

    <input type="text" name="auth[uid]">
        <input type="text" name="validated" value="1">
    <button type="submit">submit</button>

</form>

Now for example i just submit the uid of a random facebook user and i'm logged in..

Am i doing something wrong? The only check i have is the following:

if (
    isset($this->data['error']) || 
    (isset($this->data['validated']) && !$this->data['validated']) ||
    !isset($this->data['validated'])
) {
    // Error handling here...
} else {
    // User passed validation
}

[uzyn]

@nithiz You're right about that.

Perhaps validation should be taken out of this plugin and instead having the controller call a method to validate the request.

PR is welcomed on that.

Thanks.

[nithiz]

@uzyn Hey thanks for your reply :)

Would be nice to have the Opauth object globally available so i would be able to just call $this->Opauth->validate($this->data) in de opauth_complete method. That would solve the problem.