Hi, I want to give my users the ability to easily add edit and delete "images" which are associated with their account. In the backend I just have a standard admin generator module for this that allows editing all the images on the site, but I want to give the users a front end version for their own use, where they can only edit their own images.
I have created the front end admin module; currently all images on the site get shown, but I want to limit the images that get displayed to just that user (ie so they dont see anything but their own images) I also need to ensure that they can't trick the website by playing with the xhtml, URL or http requests to modify images that don't belong to them. I know that I can modify the buildQuery() method in the imageActions class; but that doesn't seem very elegant. I also see the admin.build_query event which i know I could listen to; but again; not ideal (in my opinion) I would prefer to create a filter that ensures that they are only ever shown images that match their id (the site is secured with sfDoctrineGuardPlugin). But I have no idea how to approach this; I've never worked with filters before and the documentation that I've read seems more about just modifying the display of filters. Do I create a new filter object and then tell the generator.yml to use that filter instead of the default? Can you point me to any docs on this? Also, the other question I have: is how are users prevented from editing other peoples images; ie what's stopping someone from seeing /image/7/edit which belongs to their account, and then guessing /image/9/edit which belongs to someone else. How can I easily ensure that they're not adding, updating or deleting images that don't belong to them? Thanks a lot :) Brett -- If you want to report a vulnerability issue on symfony, please send it to security at symfony-project.com You received this message because you are subscribed to the Google Groups "symfony users" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/symfony-users?hl=en
