Skip to main content

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

We've moved the forum!

Please use forum.silverstripe.org for any new questions (announcement).
The forum archive will stick around, but will be read only.

You can also use our Slack channel or StackOverflow to ask for help.
Check out our community overview for more options to contribute.

Data Model Questions /

Moderators: martimiz, Sean, Ed, biapar, Willr, Ingo, swaiba

Permission at the field level


Go to End


6 Posts   1534 Views

Avatar
BenWu

Community Member, 97 Posts

31 July 2012 at 3:52am

Edited: 31/07/2012 3:54am

I know that it is possible to setup permission at the Model or Action level using Permission::check or canEdit/canAdd/canDelete

However, is it possible to setup database field level permission? So that fields are excluded from editing for front-end editing. Even 'hackers' tried to post the extra fields, it will be ignored. For example, if you got paid subscription model, you don't want the front end user to edit the Status field of the subscription.

In the Yii framework, you can specify which fields are 'safe' or not. Is it possible to have the feature in SS ?

Currently, I have to use a form validator to check current member's group to find out if he is allowed to do that or not.

thanks!

Avatar
swaiba

Forum Moderator, 1899 Posts

31 July 2012 at 5:32am

Hi Ben,

I've looked for this exact thing and it seems that it is going to have to be built... the plan I've got is to include the summary fields, edit fields and csv export fields along with can view/create/edit/delete DataObjects/fields. This is mostly working the only part left is to add it into SS - I've been waiting to switch to SS3 to make sure it is compatible there. This is one of many modules hoping to release this year...

Anyway... Some useful links regarding security setup...

http://www.silverstripe.org/security-extension-module/
https://github.com/nyeholt/silverstripe-restrictedobjects
http://www.silverstripe.org/simplify-module/
https://github.com/silverstripe-labs/silverstripe-peruseraccess/blob/master/code/PerUserSiteTreeDecorator.php

Avatar
BenWu

Community Member, 97 Posts

31 July 2012 at 10:00am

Edited: 31/07/2012 10:00am

Thanks for reply.

What I am looking for is different from what your describe I think.

Take this example in http://doc.silverstripe.org/framework/en/tutorials/3-forms

class HomePage_Controller extends Page_Controller {
    // ...
    public function doBrowserPoll($data, $form) {
        $submission = new BrowserPollSubmission();
        $form->saveInto($submission);
        $submission->write();
        return $this->redirectBack();
    }
}

the

 $form->saveInto() 

has no checking whether the db fields are 'safe' to saved or not. If someone knows the db fields, he might inject something into $data and change the fields that I don't want them to change.

Looking at the Yii Framework http://www.yiiframework.com/doc/api/1.1/CModel#safeAttributeNames-detail , there is something called 'safeattributes'. If a db field is not 'safe', the 'saveInto' method should ignore that field.

Not sure SS3 got it already. It will be quite handy to have.

regards,

Avatar
martimiz

Forum Moderator, 1391 Posts

4 August 2012 at 6:43am

Edited: 04/08/2012 6:43am

I think if you would conditionally create some of the formfields as in

if (checkcondition) $Fields->push(new ....

Then they would either be part of the form or not, and regardless of what is posted, $form->saveInto($submission) would only add the fields you defined.

Avatar
BenWu

Community Member, 97 Posts

4 August 2012 at 11:31am

ok thank you. Is it possible some 'naughty boys' would inject something into $_GET/$_POST to the controller that processes the form? I think i still need to check whether thouse 'safe' fields are set by non-authorize users or not

Avatar
BenWu

Community Member, 97 Posts

4 August 2012 at 11:31am

ok thank you. Is it possible some 'naughty boys' would inject something into $_GET/$_POST to the controller that processes the form? I think i still need to check whether thouse 'safe' fields are set by non-authorize users or not