Wednesday, February 23, 2011

Re: isAuthorized problem with mixed case actions

Thanks for the reply. I will ensure I check agaisnt the lowercase form
of the action in my isAuthorized function.


On Feb 22, 7:26 pm, cricket <zijn.digi...@gmail.com> wrote:
> On Tue, Feb 22, 2011 at 11:35 AM, chris <chris....@internetlogistics.com> wrote:
> > Whilst going through the security of my application, I've noticed a
> > flaw. I'm not sure if this is a cake issue, or just something I need
> > to be aware of however.
>
> > I'm using code from the Bakery for the Sortable behaviour. So I've got
> > functions named moveUp and moveDown in my controller.
>
> > In isAuthorized im doing the following
>
> > if( $this->action == 'moveUp' || $this->action == 'moveDown'){
> >  ..code to check if this is allowed
> > }
>
> > However, I've realised that this can be skipped by calling the actions
> > using a lowercase name, e.g. controller/moveup/ will still call the
> > moveUp action, but the isAuthroized check will be skipped.
>
> > At the moment, the best fix I can think of is using strtolower to get
> > a lowercase version of the action for checking in the isAuthorized
> > function.
>
> > But is this something that cakePHP should protect agaisnt?
>
> No, is should be handled in your routine. You need to normalise the
> strings (eg. to lowercase). For example, this is how it's handled in
> AuthComponent's startrup():
>
> $action = strtolower($controller->params['action']);
> ...
> $allowedActions = array_map('strtolower', $this->allowedActions);
> $isAllowed = ($this->allowedActions == array('*') || in_array($action,
> $allowedActions));
>
> So, if you left it up to setting allowedActions, it'd be handled for
> you. But, because you're doing your own isAuthorized() it's up to you
> to ensure the strings are the same case.

--
Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org
Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions.


To unsubscribe from this group, send email to
cake-php+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)