Hi You're right I understood the issue as "changing the id of given db row". I'll follow your discussion because I may soon have the issue as I want to discriminate access to nodes in my tree structure.
As a side note, to test that you don't need to save and change a form. In firefox the developer toolbar allows to make form field writable. I even used it to cheat in an Internet game some times ago. (In that game you could go fishing every week and some fishes were more worth than others, and the developers made that module by passing the id of the fish category in a form, so I had just to change that id in order to fish every week the most expensive fish...) AD7six wrote: > Hi Olivier, > > I think the point is, that you could save the form locally, change the > hidden field value , and edit/overwrite other entries in the database. > > Asume there is some data ACL here´s a real E.g. > > Access http://www.noswad.me.uk/tutorials/posts/edit/9 > save the form locally > set the form action to be an absolute url > change the hidden field value to "1" > submit the form > > And you just edited entry number 1. > > If we make the assumption that the user had access to edit post 9, they > just got around the restriction. This is just a trivial example to > demonstrate the question raised. > > It raises another problem, which I´ve been pondering for a little > while I might aswell chip in: > > If someone knows the name of a database field they shouldn´t have > access to edit, they can easily save an edit a form and update fields. > > I´m still thinking about generic solutions to this generic problem ;) > > Cheers, > > AD7six > > > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Cake PHP" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php -~----------~----~----~----~------~----~------~--~---
