secure.yaml 

http://www.symfony-project.org/forum/index.php?t=msg&th=6989

i now wanted to set some security settings via. security.yml, but unluckily it didnt worked the way i though it should…

i just created a 'security.yml' in the 'apps/myapp/modules/mymodule/config/' Folder with (and nothing else) :

executeTest:
  is_secure:   on
  credentials: admin
Test:
  is_secure:   on
  credentials: admin
test:
  is_secure:   on
  credentials: admin

I added that 3 Things couze test didn't worked… so here is my First question, if i have something like this:

Example: File actions.class.php:
class mymoduleActions extends sfActions
{
  public function executeTest()
  {
    $this->temp = "if you can read me, it didnt worked out.";
  }
}

so should the entry in the 'security.yml' be Test, or test? Well at least one of that 3 Ways should work, but if i try to open it myserver.de/mymodule/test

i can read the Text everytime … and dind't get something like "permission denied" , by the way, i didnt added any Credentials and setAuthenticated(true) to the user, so what did i did wrong? :(

And there are 2 Paths where i can add my security.yml , if i have entred in both, wich one will be used for an action?

'apps/myapp/modules/mymodule/config/' 'apps/myapp/config/'

secure.yaml 

> so should the entry in the 'security.yml' be Test, or test?

apps/myapp/modules/mymodule/config/security.yml

test:
  is_secure: on
  credentials: admin

as per http://www.symfony-project.org/book/trunk/06-Inside-the-Cont roller-Layer#Action%20Security

  1. Did you clear the cache after applying the security?

  2. To perform more 'generic' test you could do: 

    all:
  is_secure: on
  credentials: admin

documented on: 13 June 2007, pezetgee

access myUser.class.php from a template/layout 

my goal is to access the content of myUser.class.php (located in the lib dir) from a template or layout. But how can I do that?

My myUser.class.php file:

class myUser extends sfBasicSecurityUser
{
        public function getTestData()
        {
                return "test-text";
        }
}

access myUser.class.php from a template/layout 

> Try this in your template :
>
> $sf_user->getTestData( )

that works perfectly, thanks a lot!

documented on: 14 August 2007, scube

only allow user to change their own record 

http://www.symfony-project.org/forum/index.php?t=msg&goto=30011

I am using the generator for my backend application to create, edit, delete registers.

I have a user table.

So:

I have programmed a login system based on credentials so that users cannot see the users list. They can only go into the Edit View. Only the administrator can see the users list.

This is the code in my scurity.yml file for the user module.

list:
  is_secure: on
  credentials: admin
edit:
  is_secure: on
  credentials: suscriber
all:
  is_secure:   off

Then, I will make available a link for the logged in users to edit their profile:

http://example.com/user/edit/id/1

but some creative loggen in user may say: what if I change the last parameter in the address bar:

http://example.com/user/edit/id/5

If there is a user with that ID, the creative user could then modify that user's information (the user with the ID = 5)

I just want to know how to deal with this. Where can I find Information about this?

Thanks in advanced!

Isaac

only allow user to change their own record 

I was trying to solve the very problem on my own, and here is my solution:

Example: Add to file apps/reqs/modules/staff/actions/actions.class.php
    public function isOwner()
    {
        $reqed_id = $this->getRequestParameter('id');
        $staff_id = $this->getUser()->getGuardUser()->getProfile()->getId();
        // debug $this->logMessage("$reqed_id $staff_id", 'debug');
        return ($reqed_id == $staff_id);
    }

    function getCredential()
    {
        // give or take back credentials dynamically
        if ($this->isOwner())
            $this->getUser()->addCredential('owner');
        else
            $this->getUser()->removeCredential('owner');

        // the hijack is over, let the normal flow continue:
        return parent::getCredential();
    }
Example: Add the file apps/reqs/modules/staff/config/security.yml
edit:
  is_secure:on
  credentials: owner

Then use the system as is, without changing anything else.

xpt

documented on: 2007.07.18

only allow user to change their own record 

Revisiting the very topic again, and now I come up with another (more simple) solution.

  1. Initiate an administration module, say password, by 

    symfony propel-init-admin password

  2. Make whatever changes you want, then

  3. Secure it by changing apps/myapp/modules/password/actions/actions.class.php into 

    <?php
    /**
 * password actions.
 *
 */
class passwordActions extends autopasswordActions
{
    public function preExecute()
    {
        // The code is executed at the beginning of each action call
        $this->getRequest()->
            setParameter('id', $this->getUser()->getGuardUser()->getId());
    }
        public function executeIndex()
    {
        $this->forward('password', 'edit');
    }
}

  4. Provide the access point by: 

    <?php echo link_to('Change Password', 'password') ?>

That's it, whenever the link is click, the user is brought into the password editing form, and the system will guarantee that users can only change their own record, even if the knowledgeable and creative logged-in user guessed and plays with the parameter in the address bar.

xpt

documented on: 2007.08.17

Hiding info from url 

http://www.symfony-project.org/forum/index.php?t=msg&th=5477

I built an admin gen interface to allow users to modify their own profiles.

It works, but the url shows

staff.php/profile/edit/id/2

which has a big loophole so that "smart" users can changes others profile (or even password) as well, by manually changing the last id number on url.

So I thought of using a forward, which is "internal to the application and transparent to the user. As far as the user is concerned, the displayed URL is the same as the one requested."

However, currently forward in symfony doesn't take any additional parameters other than the module and action name.

So is there any away so that I can make this a little hack-proof?

documented on: 2007.03.09

query string on redirects and forwards 

http://www.symfony-project.org/forum/index.php?t=msg&goto=33219#msg_33219

> In the book it shows you how to force a parameter to appear as the query
> string when using the link_to etc helpers.
> http://www.symfony-project.org/book/trunk/09-Links-and-the-Routing-System#Forcing%20Request%20Parameters%20As%20GET%20Variables[]
>
> Is it possible to do that with the action methods $this->redirect and
> $this->forward, and if so what is the syntax for this?

  1. for forward: set request parameter(s) before forward, ie: 

    $this->getRequest()->setParameter('parameter_name', parameter_value);
$this->forward('module_name', 'action_name');

  2. for redirect: redirect accepts parameters just like link_to(), ie: 

    $this->redirect('module_name/action_name?parameter_name=parameter_value');

11 August 2007, pezetgee

redirect strips data out 

http://www.symfony-project.org/forum/index.php?t=msg&goto=32472#msg_32472

I am having issue with $this->redirect. It's stripping part of the URL I am passing as a parameter.

For example, this redirect request parameter

/browse/article/id/my_article

leading to

$this->redirect('/browse/article/id/my_article');

becomes

/browse/article

in the browser.

and results in a 404.

How can I do such a redirect?

redirect strips data out 

> have you tried:
>
> $this->redirect('/browse/article?id=my_article');

cokker is correct: if you do not specify an absolute url (i.e beginning by http://), symfony assumes a sf url, so use the routing (and so you must specify your parameters after the ? and the routing will rewrite your url)

30 July 2007, cblin

redirect strips data out 

> Thanks. I used the referer instead and then it's fine because it's absolute.

be aware that some firewall (ex: symantec) do not send the referer to the server.

01 August 2007, cblin