[email protected] wrote:
> Dear all,
>
> 1. Once my user has logged in, I'd like to store the user name in a
> session variable for display in a template. How do I do this in my
> LoginAction? I tried this:
>
> $this->getContext()->getStorage()->write('ADMIN_U', $u);
It is strongly recommended not to use AgaviStorage directly but instead
User attributes which are also stored into the session. So, instead do
something like:
$this->context->getUser()->setAttribute('id', $userId, 'my.user.namespace');
$this->context->getUser()->setAttribute('name', $userName,
'my.user.namespace');
>
> My question is, when resubmitting the form, what is the best way to pass
> the record ID back to the Action::executeWrite() method? Currently, I'm
> passing it on the URL. I could instead set it as a hidden field in the
> form. But in either case, a user could change it in the page source code
> and thereby perform an update on a different record instead. Is there a
> way to avoid this? How?
>
I think first you need to ask yourself do I really have worry about
this. If the user can edit (as in "has the right to edit") all records,
but for some reason manipulates the id before sending the form what's
the harm?
BUT
If you need to check access credentials before updating a record I'd
write a validator for it and not worry about users hacking the generated
html. You could store the id or some secure hash in the session and do
all kinds of tests and tricks but it wouldn't be worth it IMO. Simply
validate the input (e.g. with CheckUserAccessToMyObjectValidator) and if
the user tries to update an object he/she doesn't have proper
credentials for show an error. That's it.
-veikko
--
Veikko Mäkinen
[email protected]
044 5910 413
http://blog.veikko.fi
_______________________________________________
users mailing list
[email protected]
http://lists.agavi.org/mailman/listinfo/users
