Hello, I'm thinking of using Doctrine, but I was wondering about the way doctrine manages table security. I have a RESTful service which receives API calls from a website and makes updates in DB. The problem is that anyone can change the IDs in the request and update records that not belong to him.
For example, I have "Users" table and also a "Comments" table that has a "user_id" foreign key which point to a user record in the Users table. If someone wants to delete his own comment he can send a delete API call. for example: DELETE /myservice/comment/2821 In this case 2821 is the comment id. But what if he opens Fiddler and changes the comment id to 2822, which belongs to a different user? The trivial solution for this is to first fetch the comment, get its user_id, then fetch the user and check if this is the logged in user. But is there any built-in way to do it with Doctrine? Thanks, Edi. -- You received this message because you are subscribed to the Google Groups "doctrine-user" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/doctrine-user. For more options, visit https://groups.google.com/d/optout.
