I'm wondering what everyone is doing about the default links. I'm setting
up an application that has multiple companies with multiple employees. One
company can't see another companies employees.
However, if a manager can display a list of all their employees and edit
them via GET, they can simply change the id in the address bar to pull up
any arbitrary employee from their company or any other company.
If I use a postLink, then the edit page opens blank because
the setFlash(__('The user could not be saved. Please, try again.) is
triggered before the find('list') can fill out the form.
I'm only a couple weeks new to cakephp and am under the impression cakephp
won't allow a is() to validate a particular post name so I can create
actions based on which post is being submitted; self or a view.
I tried to leave the link as GET and encrypt/decrypt, but that continued to
fail.
Please, any suggestions would be great. I can't imagine this security hole
doesn't have an easy fix. I just haven't seen it yet.
Thanks
Steve
--
Like Us on FaceBook https://www.facebook.com/CakePHP
Find us on Twitter http://twitter.com/CakePHP
---
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at http://groups.google.com/group/cake-php.
For more options, visit https://groups.google.com/d/optout.
