GET or POST

2014-08-08 Thread Steve Thomas
I'm wondering what everyone is doing about the default links. I'm setting 
up an application that has multiple companies with multiple employees. One 
company can't see another companies employees.
However, if a manager can display a list of all their employees and edit 
them via GET, they can simply change the id in the address bar to pull up 
any arbitrary employee from their company or any other company.

If I use a postLink, then the edit page opens blank because 
the setFlash(__('The user could not be saved. Please, try again.) is 
triggered before the find('list') can fill out the form.
I'm only a couple weeks new to cakephp and am under the impression cakephp 
won't allow a is() to validate a particular post name so I can create 
actions based on which post is being submitted; self or a view.

I tried to leave the link as GET and encrypt/decrypt, but that continued to 
fail.
Please, any suggestions would be great. I can't imagine this security hole 
doesn't have an easy fix. I just haven't seen it yet.

Thanks
Steve

-- 
Like Us on FaceBook https://www.facebook.com/CakePHP
Find us on Twitter http://twitter.com/CakePHP

--- 
You received this message because you are subscribed to the Google Groups 
"CakePHP" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cake-php+unsubscr...@googlegroups.com.
To post to this group, send email to cake-php@googlegroups.com.
Visit this group at http://groups.google.com/group/cake-php.
For more options, visit https://groups.google.com/d/optout.


Re: GET or POST

2014-08-08 Thread euromark
I think you are confusing a few things here.
GET/POST has nothing to do with what pages you can acess.
You should use role (preferred) or row based access control to those forms 
and non-public actions.

The type is revelant for what type of action you take.
GET if it does not alter the database (view, index, add/edit for display of 
form)
POST to alter the database (add/edit upon save, delete)

mark


Am Freitag, 8. August 2014 17:55:10 UTC+2 schrieb Steve Thomas:
>
> I'm wondering what everyone is doing about the default links. I'm setting 
> up an application that has multiple companies with multiple employees. One 
> company can't see another companies employees.
> However, if a manager can display a list of all their employees and edit 
> them via GET, they can simply change the id in the address bar to pull up 
> any arbitrary employee from their company or any other company.
>
> If I use a postLink, then the edit page opens blank because 
> the setFlash(__('The user could not be saved. Please, try again.) is 
> triggered before the find('list') can fill out the form.
> I'm only a couple weeks new to cakephp and am under the impression cakephp 
> won't allow a is() to validate a particular post name so I can create 
> actions based on which post is being submitted; self or a view.
>
> I tried to leave the link as GET and encrypt/decrypt, but that continued 
> to fail.
> Please, any suggestions would be great. I can't imagine this security hole 
> doesn't have an easy fix. I just haven't seen it yet.
>
> Thanks
> Steve
>
>

-- 
Like Us on FaceBook https://www.facebook.com/CakePHP
Find us on Twitter http://twitter.com/CakePHP

--- 
You received this message because you are subscribed to the Google Groups 
"CakePHP" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cake-php+unsubscr...@googlegroups.com.
To post to this group, send email to cake-php@googlegroups.com.
Visit this group at http://groups.google.com/group/cake-php.
For more options, visit https://groups.google.com/d/optout.


Re: GET or POST

2014-08-08 Thread Steve Thomas
Thanks Mark,
I am using ACL. So for example, if a role such as a manager can list all 
the employees of that company, it also adds the Action links (add) (edit) 
(delete). If this manager clicks to edit one of the employee (users), this 
is sent to the EDIT view via GET with the user id in the address bar 
- controller/method/id. All the manager would have to do is change the id 
in the address bar to access another user. Possibly a user from a different 
company which they shouldn't be able to access.  
It's generally not acceptable programming to send account id via GET 
because of this security breach. It should always be sent POST. However, 
the EDIT form submits to its self and therefore conflicts with other posts.
I was hoping this is such a basic and common flaw that there would be an 
easy fix.
I hope that cleared up what I'm trying to accomplish. 
Another example is the DELETE link on the same Action with EDIT and ADD 
uses postLink() to avoid the id being sent via GET in the address bar. 
However, the delete page doesn't have any other POST or self submissions 
and no conflicts.

Thanks
Steve

On Friday, August 8, 2014 3:03:57 PM UTC-4, euromark wrote:

> I think you are confusing a few things here.
> GET/POST has nothing to do with what pages you can acess.
> You should use role (preferred) or row based access control to those forms 
> and non-public actions.
>
> The type is revelant for what type of action you take.
> GET if it does not alter the database (view, index, add/edit for display 
> of form)
> POST to alter the database (add/edit upon save, delete)
>
> mark
>
>
> Am Freitag, 8. August 2014 17:55:10 UTC+2 schrieb Steve Thomas:
>>
>> I'm wondering what everyone is doing about the default links. I'm setting 
>> up an application that has multiple companies with multiple employees. One 
>> company can't see another companies employees.
>> However, if a manager can display a list of all their employees and edit 
>> them via GET, they can simply change the id in the address bar to pull up 
>> any arbitrary employee from their company or any other company.
>>
>> If I use a postLink, then the edit page opens blank because 
>> the setFlash(__('The user could not be saved. Please, try again.) is 
>> triggered before the find('list') can fill out the form.
>> I'm only a couple weeks new to cakephp and am under the impression 
>> cakephp won't allow a is() to validate a particular post name so I can 
>> create actions based on which post is being submitted; self or a view.
>>
>> I tried to leave the link as GET and encrypt/decrypt, but that continued 
>> to fail.
>> Please, any suggestions would be great. I can't imagine this security 
>> hole doesn't have an easy fix. I just haven't seen it yet.
>>
>> Thanks
>> Steve
>>
>>

-- 
Like Us on FaceBook https://www.facebook.com/CakePHP
Find us on Twitter http://twitter.com/CakePHP

--- 
You received this message because you are subscribed to the Google Groups 
"CakePHP" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cake-php+unsubscr...@googlegroups.com.
To post to this group, send email to cake-php@googlegroups.com.
Visit this group at http://groups.google.com/group/cake-php.
For more options, visit https://groups.google.com/d/optout.


Re: GET or POST

2014-08-08 Thread Thomas von Hassel
You should check the ACL in the edit controller action before actually doing 
anything

/thomas


On 08 Aug 2014, at 22:33, Steve Thomas  wrote:

> All the manager would have to do is change the id in the address bar to 
> access another user. Possibly a user from a different company which they 
> shouldn't be able to access.  

-- 
Like Us on FaceBook https://www.facebook.com/CakePHP
Find us on Twitter http://twitter.com/CakePHP

--- 
You received this message because you are subscribed to the Google Groups 
"CakePHP" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cake-php+unsubscr...@googlegroups.com.
To post to this group, send email to cake-php@googlegroups.com.
Visit this group at http://groups.google.com/group/cake-php.
For more options, visit https://groups.google.com/d/optout.


Re: GET or POST

2014-08-08 Thread Andras Kende
You could add a condition like

'conditions' => array(
'Employee.company_id' => $this->Auth->user('company_id')
)

So when changing the id in the url the application still only allows fetch data 
which belongs to the same company..

The same applies for delete, just check before if current user has access to 
the record to be deleted...

If you need to hide id, then one option is to use uuid() as primary key.

Andras

On Aug 8, 2014, at 1:33 PM, Steve Thomas  wrote:

> Thanks Mark,
> I am using ACL. So for example, if a role such as a manager can list all the 
> employees of that company, it also adds the Action links (add) (edit) 
> (delete). If this manager clicks to edit one of the employee (users), this is 
> sent to the EDIT view via GET with the user id in the address bar - 
> controller/method/id. All the manager would have to do is change the id in 
> the address bar to access another user. Possibly a user from a different 
> company which they shouldn't be able to access.  
> It's generally not acceptable programming to send account id via GET because 
> of this security breach. It should always be sent POST. However, the EDIT 
> form submits to its self and therefore conflicts with other posts.
> I was hoping this is such a basic and common flaw that there would be an easy 
> fix.
> I hope that cleared up what I'm trying to accomplish.
> Another example is the DELETE link on the same Action with EDIT and ADD uses 
> postLink() to avoid the id being sent via GET in the address bar. However, 
> the delete page doesn't have any other POST or self submissions and no 
> conflicts.
> 
> Thanks
> Steve
> 
> On Friday, August 8, 2014 3:03:57 PM UTC-4, euromark wrote:
> I think you are confusing a few things here.
> GET/POST has nothing to do with what pages you can acess.
> You should use role (preferred) or row based access control to those forms 
> and non-public actions.
> 
> The type is revelant for what type of action you take.
> GET if it does not alter the database (view, index, add/edit for display of 
> form)
> POST to alter the database (add/edit upon save, delete)
> 
> mark
> 
> 
> Am Freitag, 8. August 2014 17:55:10 UTC+2 schrieb Steve Thomas:
> I'm wondering what everyone is doing about the default links. I'm setting up 
> an application that has multiple companies with multiple employees. One 
> company can't see another companies employees.
> However, if a manager can display a list of all their employees and edit them 
> via GET, they can simply change the id in the address bar to pull up any 
> arbitrary employee from their company or any other company.
> 
> If I use a postLink, then the edit page opens blank because the 
> setFlash(__('The user could not be saved. Please, try again.) is triggered 
> before the find('list') can fill out the form.
> I'm only a couple weeks new to cakephp and am under the impression cakephp 
> won't allow a is() to validate a particular post name so I can create actions 
> based on which post is being submitted; self or a view.
> 
> I tried to leave the link as GET and encrypt/decrypt, but that continued to 
> fail.
> Please, any suggestions would be great. I can't imagine this security hole 
> doesn't have an easy fix. I just haven't seen it yet.
> 
> Thanks
> Steve
> 
> 
> -- 
> Like Us on FaceBook https://www.facebook.com/CakePHP
> Find us on Twitter http://twitter.com/CakePHP
> 
> --- 
> You received this message because you are subscribed to the Google Groups 
> "CakePHP" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to cake-php+unsubscr...@googlegroups.com.
> To post to this group, send email to cake-php@googlegroups.com.
> Visit this group at http://groups.google.com/group/cake-php.
> For more options, visit https://groups.google.com/d/optout.

-- 
Like Us on FaceBook https://www.facebook.com/CakePHP
Find us on Twitter http://twitter.com/CakePHP

--- 
You received this message because you are subscribed to the Google Groups 
"CakePHP" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cake-php+unsubscr...@googlegroups.com.
To post to this group, send email to cake-php@googlegroups.com.
Visit this group at http://groups.google.com/group/cake-php.
For more options, visit https://groups.google.com/d/optout.


Re: GET or POST

2014-08-09 Thread Steve Thomas
Thanks Andras, I decided to do what you suggested with the condition. It 
works. If a manager of one company is editing one of their employees and 
decides to change the (id) in the address bar and the (id) belongs to an 
employee of a different company, a blank edit form will appear. If they 
fill out the form it simply adds another employee to their company roster.
I'm still amazed there isn't something in cakephp that solves it with a 
post.

Thanks for youe help.
Steve Thomas

On Friday, August 8, 2014 6:16:52 PM UTC-4, Andras Kende wrote:
>
> You could add a condition like
>
> 'conditions' => array(
> ‘Employee.company_id’ => $this->Auth->user(‘company_id’)
> )
>
> So when changing the id in the url the application still only allows fetch 
> data which belongs to the same company..
>
> The same applies for delete, just check before if current user has access 
> to the record to be deleted…
>
> If you need to hide id, then one option is to use uuid() as primary key.
>
> Andras
>
> On Aug 8, 2014, at 1:33 PM, Steve Thomas > 
> wrote:
>
> Thanks Mark,
> I am using ACL. So for example, if a role such as a manager can list all 
> the employees of that company, it also adds the Action links (add) (edit) 
> (delete). If this manager clicks to edit one of the employee (users), this 
> is sent to the EDIT view via GET with the user id in the address bar 
> - controller/method/id. All the manager would have to do is change the id 
> in the address bar to access another user. Possibly a user from a different 
> company which they shouldn't be able to access.  
> It's generally not acceptable programming to send account id via GET 
> because of this security breach. It should always be sent POST. However, 
> the EDIT form submits to its self and therefore conflicts with other posts.
> I was hoping this is such a basic and common flaw that there would be an 
> easy fix.
> I hope that cleared up what I'm trying to accomplish. 
> Another example is the DELETE link on the same Action with EDIT and ADD 
> uses postLink() to avoid the id being sent via GET in the address bar. 
> However, the delete page doesn't have any other POST or self submissions 
> and no conflicts.
>
> Thanks
> Steve
>
> On Friday, August 8, 2014 3:03:57 PM UTC-4, euromark wrote:
>
>> I think you are confusing a few things here.
>> GET/POST has nothing to do with what pages you can acess.
>> You should use role (preferred) or row based access control to those 
>> forms and non-public actions.
>>
>> The type is revelant for what type of action you take.
>> GET if it does not alter the database (view, index, add/edit for display 
>> of form)
>> POST to alter the database (add/edit upon save, delete)
>>
>> mark
>>
>>
>> Am Freitag, 8. August 2014 17:55:10 UTC+2 schrieb Steve Thomas:
>>>
>>> I'm wondering what everyone is doing about the default links. I'm 
>>> setting up an application that has multiple companies with multiple 
>>> employees. One company can't see another companies employees.
>>> However, if a manager can display a list of all their employees and edit 
>>> them via GET, they can simply change the id in the address bar to pull up 
>>> any arbitrary employee from their company or any other company.
>>>
>>> If I use a postLink, then the edit page opens blank because 
>>> the setFlash(__('The user could not be saved. Please, try again.) is 
>>> triggered before the find('list') can fill out the form.
>>> I'm only a couple weeks new to cakephp and am under the impression 
>>> cakephp won't allow a is() to validate a particular post name so I can 
>>> create actions based on which post is being submitted; self or a view.
>>>
>>> I tried to leave the link as GET and encrypt/decrypt, but that continued 
>>> to fail.
>>> Please, any suggestions would be great. I can't imagine this security 
>>> hole doesn't have an easy fix. I just haven't seen it yet.
>>>
>>> Thanks
>>> Steve
>>>
>>>
> -- 
> Like Us on FaceBook https://www.facebook.com/CakePHP
> Find us on Twitter http://twitter.com/CakePHP
>
> --- 
> You received this message because you are subscribed to the Google Groups 
> "CakePHP" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to cake-php+u...@googlegroups.com .
> To post to this group, send email to cake...@googlegroups.com 
> .
> Visit this group at http://groups.google.com/group/cake-php.
> For more options, visit https://groups.google.com/d/optout.
>
>
>

-- 
Like Us on FaceBook https://www.facebook.com/CakePHP
Find us on Twitter http://twitter.com/CakePHP

--- 
You received this message because you are subscribed to the Google Groups 
"CakePHP" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cake-php+unsubscr...@googlegroups.com.
To post to this group, send email to cake-php@googlegroups.com.
Visit this group at http://groups.google.com/group/cake-php.
For more options, visit https://groups.google.com/d/optout.


Re: GET or POST

2014-08-09 Thread Andras Kende
Stave,

To keep things simple as possible I would :
Edit with a changed id should not save as new record, there is add() for that 
action..
Manipulating the id in the url should either redirect to index with a flash 
warning message or throw an error..

Andras

On Aug 8, 2014, at 5:21 PM, Steve Thomas  wrote:

> Thanks Andras, I decided to do what you suggested with the condition. It 
> works. If a manager of one company is editing one of their employees and 
> decides to change the (id) in the address bar and the (id) belongs to an 
> employee of a different company, a blank edit form will appear. If they fill 
> out the form it simply adds another employee to their company roster.
> I'm still amazed there isn't something in cakephp that solves it with a post.
> 
> Thanks for youe help.
> Steve Thomas
> 
> On Friday, August 8, 2014 6:16:52 PM UTC-4, Andras Kende wrote:
> You could add a condition like
> 
> 'conditions' => array(
>   'Employee.company_id' => $this->Auth->user('company_id')
> )
> 
> So when changing the id in the url the application still only allows fetch 
> data which belongs to the same company..
> 
> The same applies for delete, just check before if current user has access to 
> the record to be deleted...
> 
> If you need to hide id, then one option is to use uuid() as primary key.
> 
> Andras
> 
> On Aug 8, 2014, at 1:33 PM, Steve Thomas  wrote:
> 
>> Thanks Mark,
>> I am using ACL. So for example, if a role such as a manager can list all the 
>> employees of that company, it also adds the Action links (add) (edit) 
>> (delete). If this manager clicks to edit one of the employee (users), this 
>> is sent to the EDIT view via GET with the user id in the address bar - 
>> controller/method/id. All the manager would have to do is change the id in 
>> the address bar to access another user. Possibly a user from a different 
>> company which they shouldn't be able to access.  
>> It's generally not acceptable programming to send account id via GET because 
>> of this security breach. It should always be sent POST. However, the EDIT 
>> form submits to its self and therefore conflicts with other posts.
>> I was hoping this is such a basic and common flaw that there would be an 
>> easy fix.
>> I hope that cleared up what I'm trying to accomplish.
>> Another example is the DELETE link on the same Action with EDIT and ADD uses 
>> postLink() to avoid the id being sent via GET in the address bar. However, 
>> the delete page doesn't have any other POST or self submissions and no 
>> conflicts.
>> 
>> Thanks
>> Steve
>> 
>> On Friday, August 8, 2014 3:03:57 PM UTC-4, euromark wrote:
>> I think you are confusing a few things here.
>> GET/POST has nothing to do with what pages you can acess.
>> You should use role (preferred) or row based access control to those forms 
>> and non-public actions.
>> 
>> The type is revelant for what type of action you take.
>> GET if it does not alter the database (view, index, add/edit for display of 
>> form)
>> POST to alter the database (add/edit upon save, delete)
>> 
>> mark
>> 
>> 
>> Am Freitag, 8. August 2014 17:55:10 UTC+2 schrieb Steve Thomas:
>> I'm wondering what everyone is doing about the default links. I'm setting up 
>> an application that has multiple companies with multiple employees. One 
>> company can't see another companies employees.
>> However, if a manager can display a list of all their employees and edit 
>> them via GET, they can simply change the id in the address bar to pull up 
>> any arbitrary employee from their company or any other company.
>> 
>> If I use a postLink, then the edit page opens blank because the 
>> setFlash(__('The user could not be saved. Please, try again.) is triggered 
>> before the find('list') can fill out the form.
>> I'm only a couple weeks new to cakephp and am under the impression cakephp 
>> won't allow a is() to validate a particular post name so I can create 
>> actions based on which post is being submitted; self or a view.
>> 
>> I tried to leave the link as GET and encrypt/decrypt, but that continued to 
>> fail.
>> Please, any suggestions would be great. I can't imagine this security hole 
>> doesn't have an easy fix. I just haven't seen it yet.
>> 
>> Thanks
>> Steve
>> 
>> 
>> -- 
>> Like Us on FaceBook https://www.facebook.com/CakePHP
>> Find us on Twitter http://twitter.com/CakePHP
>> 
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "CakePHP" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to cake-php+u...@googlegroups.com.
>> To post to this group, send email to cake...@googlegroups.com.
>> Visit this group at http://groups.google.com/group/cake-php.
>> For more options, visit https://groups.google.com/d/optout.
> 
> 
> -- 
> Like Us on FaceBook https://www.facebook.com/CakePHP
> Find us on Twitter http://twitter.com/CakePHP
> 
> --- 
> You received this message because you are subscribed to the Google