I think you are confusing a few things here.
GET/POST has nothing to do with what pages you can acess.
You should use role (preferred) or row based access control to those forms
and non-public actions.
The type is revelant for what type of action you take.
GET if it does not alter the database (view, index, add/edit for display of
form)
POST to alter the database (add/edit upon save, delete)
mark
Am Freitag, 8. August 2014 17:55:10 UTC+2 schrieb Steve Thomas:
>
> I'm wondering what everyone is doing about the default links. I'm setting
> up an application that has multiple companies with multiple employees. One
> company can't see another companies employees.
> However, if a manager can display a list of all their employees and edit
> them via GET, they can simply change the id in the address bar to pull up
> any arbitrary employee from their company or any other company.
>
> If I use a postLink, then the edit page opens blank because
> the setFlash(__('The user could not be saved. Please, try again.) is
> triggered before the find('list') can fill out the form.
> I'm only a couple weeks new to cakephp and am under the impression cakephp
> won't allow a is() to validate a particular post name so I can create
> actions based on which post is being submitted; self or a view.
>
> I tried to leave the link as GET and encrypt/decrypt, but that continued
> to fail.
> Please, any suggestions would be great. I can't imagine this security hole
> doesn't have an easy fix. I just haven't seen it yet.
>
> Thanks
> Steve
>
>
--
Like Us on FaceBook https://www.facebook.com/CakePHP
Find us on Twitter http://twitter.com/CakePHP
---
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at http://groups.google.com/group/cake-php.
For more options, visit https://groups.google.com/d/optout.
