Or, you could create new 'finder' methods in your model table class
that find only records owned by the current user.
This example assumes you're using Doctrine, but there should be an
equivalent in Propel.
You specify these methods in your routine.yml;
leads:
class: sfDoctrineRouteCollection
options:
model: Lead
model_methods:
list: findAllOwned # only shows those owned by this user
object: findOwned # only allows access to objects owned by this
user
in this example you would modify your lib/model/doctrine/
LeadTable.class.php to include:
function findAllOwned ($parameters)
{
$q = $this->createQuery('p') ->where('p.user_id = ?',
sfContext::getInstance()->getUser()->getGuardUser()->getId());
return $q->execute();
}
function findOwned($parameters)
{
$q = $this->createQuery('p')
->where('p.id = ?',$parameters['id'])
->andWhere('p.user_id = ?', sfContext::getInstance()->getUser()-
>getGuardUser()->getId());
return $q->execute();
}
If the findOwned query returns no records then the routing system will
automatically forward to 404, so you don't need to explicitly test for
the correct owner in your action. This method takes a little more
setting up, but is, arguably, a more robust approach.
Hope this helps.
cheers,
Tony.
On Feb 9, 9:57 am, Gábor Fási <[email protected]> wrote:
> At the beginning of your action do a forward404Unless(current user is
> the owner).
>
>
>
> On Mon, Feb 8, 2010 at 17:29, wueb <[email protected]> wrote:
> > Hello buddies, need help!
>
> > On my Edit/Show actions i use the route to get the object to Edit/
> > Show.
>
> > Edit:
> > $this->form = new LeadsForm($this->getRoute()->getObject());
>
> > Show:
> > $this->leads = $this->getRoute()->getObject();
>
> > All normal here and works fine, but i need something more secure.
>
> > For example:
> > I'm the owner from the fields on the table with ID=1 and ID=2; Someone
> > that is no owner from that fields try to "hack" my values, for that he
> > goes to URL and type:http://localhost/frontend_dev.php/leads/1
>
> > He will be able to Edit/Show my values. How can i prevent this thing
> > happen?
>
> > --
> > You received this message because you are subscribed to the Google Groups
> > "symfony users" group.
> > To post to this group, send email to [email protected].
> > To unsubscribe from this group, send email to
> > [email protected].
> > For more options, visit this group
> > athttp://groups.google.com/group/symfony-users?hl=en.
--
You received this message because you are subscribed to the Google Groups
"symfony users" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/symfony-users?hl=en.
