Skip to main content

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

Archive

Our old forums are still available as a read-only archive.

Moderators: martimiz, Sean, biapar, Willr, Ingo, simon_w

Security: access to methods


Reply

7 Posts   1911 Views

Avatar
xmedeko

5 July 2007 at 9:11am Community Member, 94 Posts

Hi,
in my opinion, it is not good that everybody has default access to all methods in every class (e.g. URL like domain.com/MyClass/myMethod). I think, there should be some kind of list of methods in every class, which can be accessed by URL. Something like

static $request_methods = array ('deleteitem',index',...);

Or every request can be redirected to the 'defaultAction' method, which can be like:

function defaultAction() {
$action = urlParams['Action'];
switch ($action) {
case 'index':
case 'search': $this->$action(); return;
}
$member = Member::currentUser();
if ($member && some permission) {
switch ($action) {
case 'delete':
case 'change': $this->$action(); return;
}
}
parent::defaultAction();
}
... , so the the finer security control can be implemented.

Avatar
Sam

6 July 2007 at 10:59am Administrator, 679 Posts

This is a good point. But I think that "allowed actions" is probably a better name than request methods.

Controller::run() would be the best place to put this logic.

But, for backward compatability, I think that we would need to make static $allowed_actions an optional setting - otherwise we risk breaking existing sites.

Perhaps SilverStripe could throw a warning when allowed_actions is missing from a controller?

Additionally, we could have static $allowed_actions = "none" to disable all access to the Controller.

Do you think access to "index" should be implicit, or should that be explicitly enabled?

Avatar
xmedeko

9 July 2007 at 11:15am Community Member, 94 Posts

Hi,

I do not think $allowed_actions should be optional. But yeah, the backward compatibility is the problem. There may be some warning, if the site is in the Dev or Test mode. It should not be difficult to make $allowed_actions for existing web sites.

I think access to "index" should be explicit, because one does not need to access "index" for DataObject (e.g. URL like "PageComment/index"). It may be implicitly enabled only for Pages (ContentController or ModelAsController?).

Avatar
Sigurd

18 July 2007 at 2:23pm Forum Moderator, 628 Posts

On a similar note, it would be good to have methods that can be accessed via navigation appear in the Insert-Link diaglogue inside the CMS.

For instance, you can only link to the "/admin/" (well, /security/login) or /ForumMemberProfile/register via an external link. It'd be great to have these included in the insert link dialogue for ease of use.

Avatar
Sigurd

18 July 2007 at 2:25pm Forum Moderator, 628 Posts

What about:

you must put things into /allowed actions/ ... if you don't you can access it but only be being logged in as an admin ?

It seems like it could be feasible to upgrade methods for 2.1 by putting notices in and having GSOCers rid the notices ... ?

Avatar
wakeless

14 August 2007 at 9:30am 5 Posts

I've got a different suggestion, why not give force developers to provide a _Controller class for each dataobject or page. This way only functions that are explicitly added to the _Controller can be executed.

This is probably a better design regardless due to it separating Control and Model more than it currently is. IMHO DataObject should not inherit controller.

Avatar
wakeless

16 August 2007 at 5:43pm 5 Posts

I've attached a sample implementation of this at http://dev.wakeless.net/contentcontroller.diff it hasn't been heavily tested but it works