Thanks Mark,
I am using ACL. So for example, if a role such as a manager can list all
the employees of that company, it also adds the Action links (add) (edit)
(delete). If this manager clicks to edit one of the employee (users), this
is sent to the EDIT view via GET with the user id in the address bar
- controller/method/id. All the manager would have to do is change the id
in the address bar to access another user. Possibly a user from a different
company which they shouldn't be able to access.
It's generally not acceptable programming to send account id via GET
because of this security breach. It should always be sent POST. However,
the EDIT form submits to its self and therefore conflicts with other posts.
I was hoping this is such a basic and common flaw that there would be an
easy fix.
I hope that cleared up what I'm trying to accomplish.
Another example is the DELETE link on the same Action with EDIT and ADD
uses postLink() to avoid the id being sent via GET in the address bar.
However, the delete page doesn't have any other POST or self submissions
and no conflicts.
Thanks
Steve
On Friday, August 8, 2014 3:03:57 PM UTC-4, euromark wrote:
> I think you are confusing a few things here.
> GET/POST has nothing to do with what pages you can acess.
> You should use role (preferred) or row based access control to those forms
> and non-public actions.
>
> The type is revelant for what type of action you take.
> GET if it does not alter the database (view, index, add/edit for display
> of form)
> POST to alter the database (add/edit upon save, delete)
>
> mark
>
>
> Am Freitag, 8. August 2014 17:55:10 UTC+2 schrieb Steve Thomas:
>>
>> I'm wondering what everyone is doing about the default links. I'm setting
>> up an application that has multiple companies with multiple employees. One
>> company can't see another companies employees.
>> However, if a manager can display a list of all their employees and edit
>> them via GET, they can simply change the id in the address bar to pull up
>> any arbitrary employee from their company or any other company.
>>
>> If I use a postLink, then the edit page opens blank because
>> the setFlash(__('The user could not be saved. Please, try again.) is
>> triggered before the find('list') can fill out the form.
>> I'm only a couple weeks new to cakephp and am under the impression
>> cakephp won't allow a is() to validate a particular post name so I can
>> create actions based on which post is being submitted; self or a view.
>>
>> I tried to leave the link as GET and encrypt/decrypt, but that continued
>> to fail.
>> Please, any suggestions would be great. I can't imagine this security
>> hole doesn't have an easy fix. I just haven't seen it yet.
>>
>> Thanks
>> Steve
>>
>>
--
Like Us on FaceBook https://www.facebook.com/CakePHP
Find us on Twitter http://twitter.com/CakePHP
---
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at http://groups.google.com/group/cake-php.
For more options, visit https://groups.google.com/d/optout.
