Doctrine 2 is an object-relational mapper (ORM) [1] for PHP 5.3.3+ that provides transparent persistence for PHP objects. So in itself it cannot help you with your security issues, that's something you need to solve yourself.
If you're looking for something that can help you with that, you might want to take a look at frameworks such as Symfony 2 [2], Zend Framework 2 [3] or Laravel 4 [4]. These all have Doctrine 2 support (some by default, others have modules/plugins for Doctrine 2). [1]: http://en.wikipedia.org/wiki/Object-relational_mapping [2]: http://symfony.com [3]: http://framework.zend.com [4]: http://laravel.com -- Jasper N. Brouwer (@jaspernbrouwer) On 14 May 2014 at 09:51:13, [email protected] ([email protected]) wrote: > Hello, > > I'm thinking of using Doctrine, but I was wondering about the way doctrine > manages table security. > I have a RESTful service which receives API calls from a website and makes > updates in DB. > The problem is that anyone can change the IDs in the request and update > records that not belong to him. > > For example, I have "Users" table and also a "Comments" table that has a > "user_id" foreign key which point to a user record in the Users table. > If someone wants to delete his own comment he can send a delete API call. > for example: DELETE /myservice/comment/2821 > In this case 2821 is the comment id. > But what if he opens Fiddler and changes the comment id to 2822, which > belongs to a different user? > > The trivial solution for this is to first fetch the comment, get its > user_id, then fetch the user and check if this is the logged in user. > But is there any built-in way to do it with Doctrine? > > Thanks, > Edi. -- You received this message because you are subscribed to the Google Groups "doctrine-user" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/doctrine-user. For more options, visit https://groups.google.com/d/optout.
