continuing the function
--------------------------------
if ($this->Model->data['Model']['user_id'] == $auth_id ) // make sure
to use == not =
{
//render logic if authorized
}
else
{
$this->redirect('/'); //redirect unauthorized
now this all breaks down when using validation on your forms
im still working on that part! =]
hope this is a start
}
On Mar 28, 9:54 am, JamesF <usaexportexpe...@gmail.com> wrote:
> first make sure the thing you are saving has a foreign key with the
> user id associated with it.
> i usually would deny access with the Auth component to the action that
> i don't want a non logged in user to use.
>
> simple acl to check if the record belongs to current logged in user:
>
> put some kind of check in your action to read the user_id of the
> record you are about to load....if it fails use cakes' redirect
> function redirect the user to a location of some kind. if it passes
> allow the record to be displayed.
>
> i.e.
>
> function read ($id = null)
> {
> $this->Model->id = $id; //gets id of item from url parameter
> $auth_id = $this->Auth->user('id'); //make sure your controller is
> using Auth or this wont work)
>
> $this->Model->read(); // reads record
>
> On Mar 27, 9:05 pm, Aurelius <aurel...@temporaryinbox.com> wrote:
>
> > I'm working about 2 month with Cake, but its my first bigger app.
> > I want to write my own security function which would check before each
> > save() if the save model is associated to the logged in user, what
> > would be the best way to do that?
>
> > My Ideas till now:
> > a beforeSave() function in Appmodel:
> > + DRY
> > + relative secure
> > - if I use more than one save() its inefficient (I have up till 8 on
> > one page)
> > - I don't have a clue how I can check newly created ones with no id
>
> > a beforeSave(9 in each Modell:
> > - even more crappy than above
>
> > a validation-function in the controller
> > - not DRY
> > - more code
> > + could work with allready readed data
>
> > I believe that there must be more peaple out there with the same
> > problem, are there any finished solutions?
>
> > Any Ideas or thoughts are welcome!
>
> > thx
> > Aurelius
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to cake-php+unsubscribe@googlegroups.com
For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
-~----------~----~----~----~------~----~------~--~---
No comments:
Post a Comment