CODEWITHSUNDEEP
securityroutessymfony1sfdoctrineguard
Erman Taylan
Erman Taylan

Reputation: 383

with Symfony sfDoctrineGuardPlugin, users can open a page which actually they cannot by changing url

I am using Symfony 1.4, sfDoctrineGuardPlugin.

On my backend app, users can reach a page which they cannot actually by changing url manually. Is there any way to stop it?

Lets say, every author can just reach their own data normally. But if they change id on url they can edit which article they want. I searched on the internet but cannot find any solution for it? Do you know a way?

Thanks a lot.

Upvotes: 1

Views: 358

Answers (2)

Darmen
Darmen

Reputation: 4881

By just hiding things that doesn't belong to a particular author you can't protect them from being edited or deleted.

Overload executeEdit/executeUpdate/executeDelete actions in your backend modules to avoid unauthorized management.

Something like:

public function executeEdit(sfWebRequest $request) {
    ...
    $this->forward404Unless($this->article->belongsTo($me));
    ...
}

In addition, you can check for proper credentials. It's useful when you want to some user groups to access some special content, or content of another users.

Hope that helps.

Upvotes: 1

sarp
sarp

Reputation: 3750

you have to make a relation between article and authors. I presume there is already one, so the best approach is to override doSelect method in ArticlePeer to check with Author. Just add a criteria to select articles belongs to the current user.

Upvotes: 0

Related Questions