Prev   Next

only allow user to change their own record 

http://www.symfony-project.org/forum/index.php?t=msg&goto=30011

I am using the generator for my backend application to create, edit, delete registers.

I have a user table.

So:

I have programmed a login system based on credentials so that users cannot see the users list. They can only go into the Edit View. Only the administrator can see the users list.

This is the code in my scurity.yml file for the user module.

list:
  is_secure: on
  credentials: admin
edit:
  is_secure: on
  credentials: suscriber
all:
  is_secure:   off

Then, I will make available a link for the logged in users to edit their profile:

http://example.com/user/edit/id/1

but some creative loggen in user may say: what if I change the last parameter in the address bar:

http://example.com/user/edit/id/5

If there is a user with that ID, the creative user could then modify that user's information (the user with the ID = 5)

I just want to know how to deal with this. Where can I find Information about this?

Thanks in advanced!

Isaac

only allow user to change their own record 

I was trying to solve the very problem on my own, and here is my solution:

Example 2. Add to file apps/reqs/modules/staff/actions/actions.class.php

    public function isOwner()
    {
        $reqed_id = $this->getRequestParameter('id');
        $staff_id = $this->getUser()->getGuardUser()->getProfile()->getId();
        // debug $this->logMessage("$reqed_id $staff_id", 'debug');
        return ($reqed_id == $staff_id);
    }

    function getCredential()
    {
        // give or take back credentials dynamically
        if ($this->isOwner())
            $this->getUser()->addCredential('owner');
        else
            $this->getUser()->removeCredential('owner');

        // the hijack is over, let the normal flow continue:
        return parent::getCredential();
    }

Example 3. Add the file apps/reqs/modules/staff/config/security.yml

edit:
  is_secure:on
  credentials: owner

Then use the system as is, without changing anything else.

xpt

documented on: 2007.07.18

only allow user to change their own record 

Revisiting the very topic again, and now I come up with another (more simple) solution.

  1. Initiate an administration module, say password, by 

    symfony propel-init-admin password
  2. Make whatever changes you want, then

  3. Secure it by changing apps/myapp/modules/password/actions/actions.class.php into 

    <?php
    /**
 * password actions.
 *
 */
class passwordActions extends autopasswordActions
{
    public function preExecute()
    {
        // The code is executed at the beginning of each action call
        $this->getRequest()->
            setParameter('id', $this->getUser()->getGuardUser()->getId());
    }
        public function executeIndex()
    {
        $this->forward('password', 'edit');
    }
}

  4. Provide the access point by: 

    <?php echo link_to('Change Password', 'password') ?>

That's it, whenever the link is click, the user is brought into the password editing form, and the system will guarantee that users can only change their own record, even if the knowledgeable and creative logged-in user guessed and plays with the parameter in the address bar.

xpt

documented on: 2007.08.17


SourceForge.net LogoXpt.SourceForge.netCreative Commons Attribution-ShareAlike License Del.icio.us digg FURL blinklist reddit Feed Me Links Technorati Stumble Upon Google Bookmarks Yahoo My Web Newsvine Socializer Ma.gnolia RawSugar Squidoo Spurl BlinkBits Netvouz Rojo Blogmarks Shadows Simpy Co.mments Scuttle Bloglines Tailrank Wists FARK smarking Segnalo
Single file version available here.
Last updated on 2008-05-28.
To discuss, comment here.
Prev   Next
 Home