> Just because the link doesn't show up in the view doesn't mean someone
> isn't going to try and visit the link. Especially after seeing the
> simple human readable structure of the url /product/28.
>
> Never try to secure your site via the view or by simply hiding the
> available actions from the user. The controller should be the place
> you verify that the user is authorized to call it.
Sorry I should have gone further, but did expect the OP to come back
with something further to carry the conversation forward.
I use Auth, set $this->Auth->authorize = 'controller'; in my
controllers and let the controller determine if the user should have
access to do certain actions on certain records.
Paul.
Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions.
You received this message because you are subscribed to the Google Groups "CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
No comments:
Post a Comment