1

I am using Symfony 1.4, sfDoctrineGuardPlugin.

On my backend app, users can reach a page which they cannot actually by changing url manually. Is there any way to stop it?

Lets say, every author can just reach their own data normally. But if they change id on url they can edit which article they want. I searched on the internet but cannot find any solution for it? Do you know a way?

Thanks a lot.

Erman Taylan
  • 383
  • 1
  • 3
  • 12

2 Answers2

1

By just hiding things that doesn't belong to a particular author you can't protect them from being edited or deleted.

Overload executeEdit/executeUpdate/executeDelete actions in your backend modules to avoid unauthorized management.

Something like:

public function executeEdit(sfWebRequest $request) {
    ...
    $this->forward404Unless($this->article->belongsTo($me));
    ...
}

In addition, you can check for proper credentials. It's useful when you want to some user groups to access some special content, or content of another users.

Hope that helps.

Darmen Amanbay
  • 4,869
  • 3
  • 29
  • 50
  • thanks man. it works. i use forward404Unless on execute funcs. i have already user group and their perms. thanks again. – Erman Taylan Jan 24 '11 at 15:49
  • if you add logic to controller, then you have to make sure you take care of it everywhere. To ensure safety you should better move the logic to the model. – pars Jan 25 '11 at 18:27
0

you have to make a relation between article and authors. I presume there is already one, so the best approach is to override doSelect method in ArticlePeer to check with Author. Just add a criteria to select articles belongs to the current user.

pars
  • 3,700
  • 7
  • 38
  • 57