3060 Posts in 864 Topics by 646 members
|
Page:
1
|
Go to End | |
| Author | Topic: | 325 Views |
-
Permission at the field level
31 July 2012 at 3:52am Last edited: 31 July 2012 3:54am
I know that it is possible to setup permission at the Model or Action level using Permission::check or canEdit/canAdd/canDelete
However, is it possible to setup database field level permission? So that fields are excluded from editing for front-end editing. Even 'hackers' tried to post the extra fields, it will be ignored. For example, if you got paid subscription model, you don't want the front end user to edit the Status field of the subscription.
In the Yii framework, you can specify which fields are 'safe' or not. Is it possible to have the feature in SS ?
Currently, I have to use a form validator to check current member's group to find out if he is allowed to do that or not.
thanks!
-
Re: Permission at the field level
31 July 2012 at 5:32am
Hi Ben,
I've looked for this exact thing and it seems that it is going to have to be built... the plan I've got is to include the summary fields, edit fields and csv export fields along with can view/create/edit/delete DataObjects/fields. This is mostly working the only part left is to add it into SS - I've been waiting to switch to SS3 to make sure it is compatible there. This is one of many modules hoping to release this year...
Anyway... Some useful links regarding security setup...
http://www.silverstripe.org/security-extension-module/
https://github.com/nyeholt/silverstripe-restrictedobjects
http://www.silverstripe.org/simplify-module/
https://github.com/silverstripe-labs/silverstripe-peruseraccess/blob/master/code/PerUserSiteTreeDecorator.php -
Re: Permission at the field level
31 July 2012 at 10:00am Last edited: 31 July 2012 10:00am
Thanks for reply.
What I am looking for is different from what your describe I think.
Take this example in http://doc.silverstripe.org/framework/en/tutorials/3-forms
class HomePage_Controller extends Page_Controller {
// ...
public function doBrowserPoll($data, $form) {
$submission = new BrowserPollSubmission();
$form->saveInto($submission);
$submission->write();
return $this->redirectBack();
}
}the
$form->saveInto()
has no checking whether the db fields are 'safe' to saved or not. If someone knows the db fields, he might inject something into $data and change the fields that I don't want them to change.Looking at the Yii Framework http://www.yiiframework.com/doc/api/1.1/CModel#safeAttributeNames-detail , there is something called 'safeattributes'. If a db field is not 'safe', the 'saveInto' method should ignore that field.
Not sure SS3 got it already. It will be quite handy to have.
regards,
-
Re: Permission at the field level
4 August 2012 at 6:43am Last edited: 4 August 2012 6:43am
I think if you would conditionally create some of the formfields as in
if (checkcondition) $Fields->push(new ....
Then they would either be part of the form or not, and regardless of what is posted, $form->saveInto($submission) would only add the fields you defined.
-
Re: Permission at the field level
4 August 2012 at 11:31am
ok thank you. Is it possible some 'naughty boys' would inject something into $_GET/$_POST to the controller that processes the form? I think i still need to check whether thouse 'safe' fields are set by non-authorize users or not
-
Re: Permission at the field level
4 August 2012 at 11:31am
ok thank you. Is it possible some 'naughty boys' would inject something into $_GET/$_POST to the controller that processes the form? I think i still need to check whether thouse 'safe' fields are set by non-authorize users or not
| 325 Views | ||
|
Page:
1
|
Go to Top |
