Aristotle Pagaltzis
Fri, 05 Feb 2010 02:42:21 -0800
* Kiffin Gish <kiffin.g...@planet.nl> [2010-02-01 17:20]: > I have a number of user-defined actions which are described > with the user id like this: > > settings/user_id/(view|edit) > > Where user_id is the primary key into the users resultset. > However, I do not want this to be visible to the end-user for > security reasons (if I'm admin it's alright). > > Is it possible to retain these, but for users who are logged in > the /user_id/ is removed to get this visible instead: > > settings/(view|edit)
I find this highly suspect. It sounds like your authorisation checks are inadequate somewhere, and you are trying to paper over that instead of fixing it. From an HTTP point of view it is unwise to make endpoint URIs like that which can refer to many different resources at any one point in time. Regards, -- Aristotle Pagaltzis // <http://plasmasturm.org/> _______________________________________________ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/