Jump to:

17452 Posts in 4473 Topics by 1971 members

Archive

SilverStripe Forums » Archive » Security: access to methods

Our old forums are still available as a read-only archive.

Moderators: martimiz, Sean, biapar, Willr, Ingo, simon_w

Page: 1
Go to End
Author Topic: 1891 Views
  • xmedeko
    Avatar
    Community Member
    94 Posts

    Security: access to methods Link to this post

    Hi,
    in my opinion, it is not good that everybody has default access to all methods in every class (e.g. URL like domain.com/MyClass/myMethod). I think, there should be some kind of list of methods in every class, which can be accessed by URL. Something like

    static $request_methods = array ('deleteitem',index',...);

    Or every request can be redirected to the 'defaultAction' method, which can be like:

    function defaultAction() {
    $action = urlParams['Action'];
    switch ($action) {
    case 'index':
    case 'search': $this->$action(); return;
    }
    $member = Member::currentUser();
    if ($member && some permission) {
    switch ($action) {
    case 'delete':
    case 'change': $this->$action(); return;
    }
    }
    parent::defaultAction();
    }
    ... , so the the finer security control can be implemented.

  • Sam
    Avatar
    Administrator
    679 Posts

    Re: Security: access to methods Link to this post

    This is a good point. But I think that "allowed actions" is probably a better name than request methods.

    Controller::run() would be the best place to put this logic.

    But, for backward compatability, I think that we would need to make static $allowed_actions an optional setting - otherwise we risk breaking existing sites.

    Perhaps SilverStripe could throw a warning when allowed_actions is missing from a controller?

    Additionally, we could have static $allowed_actions = "none" to disable all access to the Controller.

    Do you think access to "index" should be implicit, or should that be explicitly enabled?

  • xmedeko
    Avatar
    Community Member
    94 Posts

    Re: Security: access to methods Link to this post

    Hi,

    I do not think $allowed_actions should be optional. But yeah, the backward compatibility is the problem. There may be some warning, if the site is in the Dev or Test mode. It should not be difficult to make $allowed_actions for existing web sites.

    I think access to "index" should be explicit, because one does not need to access "index" for DataObject (e.g. URL like "PageComment/index"). It may be implicitly enabled only for Pages (ContentController or ModelAsController?).

  • Sigurd
    Avatar
    Forum Moderator
    628 Posts

    Re: Security: access to methods Link to this post

    On a similar note, it would be good to have methods that can be accessed via navigation appear in the Insert-Link diaglogue inside the CMS.

    For instance, you can only link to the "/admin/" (well, /security/login) or /ForumMemberProfile/register via an external link. It'd be great to have these included in the insert link dialogue for ease of use.

  • Sigurd
    Avatar
    Forum Moderator
    628 Posts

    Re: Security: access to methods Link to this post

    What about:

    you must put things into /allowed actions/ ... if you don't you can access it but only be being logged in as an admin ?

    It seems like it could be feasible to upgrade methods for 2.1 by putting notices in and having GSOCers rid the notices ... ?

  • wakeless
    Avatar
    5 Posts

    Re: Security: access to methods Link to this post

    I've got a different suggestion, why not give force developers to provide a _Controller class for each dataobject or page. This way only functions that are explicitly added to the _Controller can be executed.

    This is probably a better design regardless due to it separating Control and Model more than it currently is. IMHO DataObject should not inherit controller.

  • wakeless
    Avatar
    5 Posts

    Re: Security: access to methods Link to this post

    I've attached a sample implementation of this at http://dev.wakeless.net/contentcontroller.diff it hasn't been heavily tested but it works

    1891 Views
Page: 1
Go to Top

Want to know more about the company that brought you SilverStripe? Then check out SilverStripe.com

Comments on this website? Please give feedback.