Skip to main content

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

General Questions

General questions about getting started with SilverStripe that don't fit in any of the categories above.

Moderators: martimiz, Sean, biapar, Willr, Ingo, swaiba, simon_w

Security of selfmade customer center


Reply

4 Posts   312 Views

Avatar
cSGermany

28 July 2013 at 2:10am Community Member, 37 Posts

Hi folks,

I've just created a kind of customer center on my ss 3.0.5 page.
The code is quite simple but at first i'll tell you the page structure:

My Holder is CustomerCenter with childpages CustomerPage. Each CustomerPage has a simple textfield called "CustomersEmailAddress"

The CustomerPage contains all info for one customer. Invoices, downloads, informations and so on.

CustomersEmailAddress contains the same e-mail address like the customers account.

If got no registration form or something like this on my page. So I create the accounts for my customers.

Ok, now let's go to the template code of CustomerCenter:

<% loop Children %>
   <% if CustomersEmailAddress = CurrentMember.Email %>
      here are all the CustomerPage variables
   <% end_if %>
<% end_loop %>

With this method, the customer only gets the content of his CustomerPage.

It works. BUT how secure is this?!
Can someone tell me this or show me a better way to create a CustomerCenter?

Thank you in advance

cSGermany

Avatar
cSGermany

29 July 2013 at 6:01pm Community Member, 37 Posts

Push! :)

Avatar
Pigeon

29 July 2013 at 6:26pm (Last edited: 29 July 2013 7:15pm), Community Member, 243 Posts

It loss "fine"in terms of security, usually I'd use a has_one to link pages and members, rather than relying on the current users email address (which could change, so you'd need to change it twice if it did)

Usually this kind of permission check should happen in the controller so you can throw an httpError.

Eg:

class CustomerCentre_Controller extends Page_Controller {

...

public function index() {
if ($customer = $this->Children()->filter("CustomerID", Member::currentUserID())->First()) {
return $this->customise(array(
"Customer" => $customer
));
}
return Security::permissionFailure($this);
}

...

}

The above would allow you to do this in the template:

<% if Customer %>
<% with Customer %>
...
<% end_with %>
<% end_if %>

Personally, I wouldn't be using child pages, I'd use "company" or "client" dataobjects that are linked to the Member objects and then just use an 'action' on the ClientCentre to show it like a page.

Avatar
cSGermany

30 July 2013 at 9:00pm Community Member, 37 Posts

Hi Pigeon,
thank you for your answer.

So my method is more or less secure :D That's good to know!

But i'll test your version. There's one question left. How do I link a customer to a page?

Thank you in advance

cSGermany