Kiffin Gish
Sat, 06 Feb 2010 02:27:26 -0800
On Fri, 2010-02-05 at 11:33 +0100, Aristotle Pagaltzis wrote: > * Kiffin Gish <kiffin.g...@planet.nl> [2010-02-01 17:20]: > > I have a number of user-defined actions which are described > > with the user id like this: > > > > settings/user_id/(view|edit) > > > > Where user_id is the primary key into the users resultset. > > However, I do not want this to be visible to the end-user for > > security reasons (if I'm admin it's alright). > > > > Is it possible to retain these, but for users who are logged in > > the /user_id/ is removed to get this visible instead: > > > > settings/(view|edit) > > I find this highly suspect. It sounds like your authorisation > checks are inadequate somewhere, and you are trying to paper over > that instead of fixing it. > > From an HTTP point of view it is unwise to make endpoint URIs > like that which can refer to many different resources at any one > point in time. > > Regards,
I'm not so sure that I agree, though I can appreciate your point of view. All I'm doing in fact is using the $user->id saved in the session, there being nothing papered over for authorization which is accomplished via the usual login mechanism. -- Kiffin Gish <kiffin.g...@planet.nl> Gouda, The Netherlands _______________________________________________ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/