Hi,
in my opinion, it is not good that everybody has default access to all methods in every class (e.g. URL like domain.com/MyClass/myMethod). I think, there should be some kind of list of methods in every class, which can be accessed by URL. Something like
static $request_methods = array ('deleteitem',index',...);
Or every request can be redirected to the 'defaultAction' method, which can be like:
function defaultAction() {
$action = urlParams['Action'];
switch ($action) {
case 'index':
case 'search': $this->$action(); return;
}
$member = Member::currentUser();
if ($member && some permission) {
switch ($action) {
case 'delete':
case 'change': $this->$action(); return;
}
}
parent::defaultAction();
}
... , so the the finer security control can be implemented.