That's a handy solution, thanks for sharing, Martin.
On Apr 21, 7:27 am, Martin Westin <[email protected]> wrote:
> SecurityComponent does not do much for Ajax requests. At least not in
> that way.
>
> I use $this->Post-del($id) less and less. Instead I use deleteAll() in
> this way:
> $this->Post->deleteAll(array(
> 'Post.id' => $id,
> 'Post.author_id'=>$auth_user_id
> ),true,true);
>
> This will ensure that a user can only delete their own posts... ajax
> or plain request does not matter. SecurityComponent can not take care
> of all your security even without ajax and deleting with conditions is
> a good way to limit the possible damage.
>
> On Apr 21, 6:04 am, "Dave Maharaj :: WidePixels.com"
>
>
>
> <[email protected]> wrote:
> > I have just been messing around with my app and changing values in Ajax
> > links with Firebug to see what happens...sure enough I can be logged in as
> > user 1 and thru an Ajax form delete a post by User 2. Been reading about the
> > Security Component but seems from what I have found is that it does not work
> > with AJAX requests. Is this true? What is the best way to secure an app by
> > preventing people from using Firebug to edit the code and submit/edit/delete
> > info?
>
> > I have general if this Auth User('id') = $this type setup for users/owners
> > and so on but how can you prevent the data in forms from being manipulated?
>
> > Thanks,
>
> > Dave- Hide quoted text -
>
> - Show quoted text -
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
-~----------~----~----~----~------~----~------~--~---
