#544: Potentially unsafe global request data is accessible in
Action::initialize() and View::initialize() and others
---------------------+------------------------------------------------------
Reporter: david | Owner: david
Type: defect | Status: new
Priority: high | Milestone: 0.11
Component: _OTHER_ | Version: 0.11.0RC5
Severity: major | Resolution:
Keywords: |
---------------------+------------------------------------------------------
Comment (by MugeSo):
Example for addActionMethodsForUseRequestData.2.patch
{{{
class SomeAbstructAction extends AgaviAction
{
/**
* @var SomeModel a model instance
*/
protected $myModel = null;
/**
* initialize $myModel, which is used by child classes.
*/
public function initializeWithRequestData(AgaviRequestDataHolder $rd)
{
$name = $rd->getParameter('name');
$this->myModel = $this->getContext()->getModel("SomeModel", null,
array('name'=>$name));
}
/**
* answer this action is secure or not, acording to request data
*/
public function isSecureWithRequestData(AgaviRequestDataHolder $rd)
{
return $rd->getParameter('subject')=='secret-subject';
}
/**
* answer this action is secure or not if validation fails
*/
public function isSecure()
{
return false;
}
/**
* answer credentials, acording to request data
*/
public function getCredentialsWithRequestData(AgaviRequestDataHolder
$rd)
{
return array('credential-' . $rd->getParameter('item_id'));
}
/**
* answer credentials if validation fails
*/
public function getCredentials()
{
return null;
}
}
}}}
--
Ticket URL: <http://trac.agavi.org/ticket/544#comment:3>
Agavi <http://www.agavi.org/>
An MVC Framework for PHP5
_______________________________________________
Agavi Tickets Mailing List
[email protected]
http://lists.agavi.org/mailman/listinfo/tickets
