I'm actually using symfony but this is a pure DB issue. Maybe you can point me to any best practices regarding this issue? because it's a pretty common problem, but i didn't manage to find any good solution for that. Currently I have my own developed ORM and I make JOINs with the users table on every action that I make in any table, to make sure that the AP request is not exposing records of other users.
Thanks, Edi. On Wed, May 14, 2014 at 11:22 AM, 'Jasper N. Brouwer' via doctrine-user < [email protected]> wrote: > Doctrine 2 is an object-relational mapper (ORM) [1] for PHP 5.3.3+ that > provides transparent persistence for PHP objects. > So in itself it cannot help you with your security issues, that's > something you need to solve yourself. > > If you're looking for something that can help you with that, you might > want to take a look at frameworks such as Symfony 2 [2], Zend Framework 2 > [3] or Laravel 4 [4]. These all have Doctrine 2 support (some by default, > others have modules/plugins for Doctrine 2). > > [1]: http://en.wikipedia.org/wiki/Object-relational_mapping > [2]: http://symfony.com > [3]: http://framework.zend.com > [4]: http://laravel.com > > -- > Jasper N. Brouwer > (@jaspernbrouwer) > > > On 14 May 2014 at 09:51:13, [email protected] ([email protected]) wrote: > > Hello, > > > > I'm thinking of using Doctrine, but I was wondering about the way > doctrine > > manages table security. > > I have a RESTful service which receives API calls from a website and > makes > > updates in DB. > > The problem is that anyone can change the IDs in the request and update > > records that not belong to him. > > > > For example, I have "Users" table and also a "Comments" table that has a > > "user_id" foreign key which point to a user record in the Users table. > > If someone wants to delete his own comment he can send a delete API call. > > for example: DELETE /myservice/comment/2821 > > In this case 2821 is the comment id. > > But what if he opens Fiddler and changes the comment id to 2822, which > > belongs to a different user? > > > > The trivial solution for this is to first fetch the comment, get its > > user_id, then fetch the user and check if this is the logged in user. > > But is there any built-in way to do it with Doctrine? > > > > Thanks, > > Edi. > > > -- > You received this message because you are subscribed to a topic in the > Google Groups "doctrine-user" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/doctrine-user/EqHFuKZUblw/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > [email protected]. > To post to this group, send email to [email protected]. > Visit this group at http://groups.google.com/group/doctrine-user. > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "doctrine-user" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/doctrine-user. For more options, visit https://groups.google.com/d/optout.
