Hey
(symfony 1.4 + Doctrine)
In the backend I have a list of members where each member is connected
to a sfGuardUser. .
Now I want that every Member can only edit his own profil, but not the
ones of others.
For the list-view I already got a solution with the table_methode
where I can specify a $q->andWhere():
//Member.class.php
[...]
public function retrieveBackendMember(Doctrine_Query $q)
{
try {
// not-admin-users may only edit their own profiles
$user = sfContext::getInstance()->getUser();
$user_id = $user->getGuardUser()->getId();
if (!$user->hasCredential('admin'))
{
$rootAlias = $q->getRootAlias();
$q->andWhere($rootAlias.'.sf_guard_user_id = ?',
$user_id);
}
} catch (Exception $e) {
// show none...
$q->andWhere('false');
}
return $q;
}
[...]
But if I change the id in the URL I can edit others, too..
../backend_dev.php/members/23/edit
-> ../backend_dev.php/members/24/edit *WORKS, BUT I WANT A "NEED-AUTH"-
MESSAGE*
How can I do that?
Thanks!
comb
... who is tired from symfony-google-maraton :-(
--
If you want to report a vulnerability issue on symfony, please send it to
security at symfony-project.com
You received this message because you are subscribed to the Google
Groups "symfony users" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/symfony-users?hl=en
To unsubscribe, reply using "remove me" as the subject.
