Maybe adding the username to a subdomain, like "username.myDomain.com" and create a new routing class that takes that username into account to filter items by user?
On the "More with Symfony" book is a great example of this approach: http://www.symfony-project.org/more-with-symfony/1_4/en/02-Advanced-Routing Hope that helps On Mon, Aug 9, 2010 at 12:35 AM, bretth <[email protected]> wrote: > Hi, > > I want to give my users the ability to easily add edit and delete > "images" which are associated with their account. In the backend I > just have a standard admin generator module for this that allows > editing all the images on the site, but I want to give the users a > front end version for their own use, where they can only edit their > own images. > > I have created the front end admin module; currently all images on the > site get shown, but I want to limit the images that get displayed to > just that user (ie so they dont see anything but their own images) > > I also need to ensure that they can't trick the website by playing > with the xhtml, URL or http requests to modify images that don't > belong to them. > > I know that I can modify the buildQuery() method in the imageActions > class; but that doesn't seem very elegant. I also see the > admin.build_query event which i know I could listen to; but again; not > ideal (in my opinion) > > I would prefer to create a filter that ensures that they are only ever > shown images that match their id (the site is secured with > sfDoctrineGuardPlugin). > > But I have no idea how to approach this; I've never worked with > filters before and the documentation that I've read seems more about > just modifying the display of filters. > > Do I create a new filter object and then tell the generator.yml to use > that filter instead of the default? Can you point me to any docs on > this? > > Also, the other question I have: > > is how are users prevented from editing other peoples images; ie > what's stopping someone from seeing > > /image/7/edit > > which belongs to their account, and then guessing > > /image/9/edit > > which belongs to someone else. How can I easily ensure that they're > not adding, updating or deleting images that don't belong to them? > > Thanks a lot :) > > Brett > > -- > If you want to report a vulnerability issue on symfony, please send it to > security at symfony-project.com > > You received this message because you are subscribed to the Google > Groups "symfony users" group. > To post to this group, send email to [email protected] > To unsubscribe from this group, send email to > [email protected]<symfony-users%[email protected]> > For more options, visit this group at > http://groups.google.com/group/symfony-users?hl=en > -- If you want to report a vulnerability issue on symfony, please send it to security at symfony-project.com You received this message because you are subscribed to the Google Groups "symfony users" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/symfony-users?hl=en
