On 6 Giu, 16:14, Alvaro Garcia <[email protected]> wrote:
> In my doctrine class (lib/model/doctrine/XXX.class.php) I have overwritten
> the constructor.
> The reason is I need to validate that an user can load this object
> (photograph in my case).
> Then, when I load a collection of photographs ($photoAlbum->getPhotos()) the
> constructor
> check the permissions.
>
> To do it I need that the doctrine class can access to the sfGuardUser.
> Is there any possibility for this class to access the user without being
> passed as a parameter?
That's a bad idea.
You should perform a such control in your controller, not in the
model.
The object should know anything about the current user.
I suggest you to write a method like this one in you model class:
public function checkUser(sfGuardUser$user)
{
return $this->getUser()->getid() == $user->getId();
}
and then in you action
public function executeFoo(sfWebRequest $request)
{
$this->object = $this->getRoute()->getObject();
$this->forwardUnless($this->obejct->checkUser($this->getUser()-
>getGuardUser()), sfConfig::get('sf_secure_module'),
sfConfig::get('sf_secure_action'));
}
cheers
Massimiliano
--
If you want to report a vulnerability issue on symfony, please send it to
security at symfony-project.com
You received this message because you are subscribed to the Google
Groups "symfony users" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/symfony-users?hl=en
