This is my first experience developing under a framework, but I'm
starting to see the advantages and I really like the baking features
in a shell prompt. Tons of time saved there.
What i'll be building is a basic user account system where users can
login and edit their own record. So I need to prevent the user from
editing another user's record.
From your comments it looks like the solution is with group management
and the isAuthorized() syntax you mentioned. So it sounds like I need
to read more on this subject.
For your final question, I'm use to in the past for simple systems
having an authorization code as part of the database record. The code
is in the URL as a parameter and the query would do the select against
the code. The code can replace the ID and since its a long 32
character random code, guessing another code is nearly impossible. It
was highly effective, simple and nice for situations where you didn't
want a user to have to login first - just as updating a record by
clicking on a link in an email.
Thanks for your help and time.
Jeff
On Nov 4, 9:58 am, WebbedIT <p...@webbedit.co.uk> wrote:
> Hi Jeff, and congrats on diving into the world of CakePHP!
>
> Are you asking how to prevent a user simply changing say '/articles/
> edit/1' to '/articles/edit/2' and being able to edit another article?
> If so can I ask what the problem is with that?
>
> Is the user only allowed to edit their articles? If so, you do checks
> to make sure they are the author or member of a group with editing
> rights. I do things of this nature by setting $auth->authorize =
> 'controller'; and creating an isAuthorized() method in my controller
> which checks if the person is allowed to perform the action on the
> record they have requested.
>
> How does making the ID longer help with this situation, other than
> adding a possible layer of obfuscation, I assume the records are not
> sequential in this case which makes guessing another record more
> difficult, but it also makes the URLs uglier changing '/articles/view/
> 1/title_of_article' to '/articles/view/
> 7d8jwjduchs6s5423n2is8dysjaks6dr/title_of_article'
>
> HTH, Paul
Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions.
You received this message because you are subscribed to the Google Groups "CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
No comments:
Post a Comment