Jump to:

3430 Posts in 1057 Topics by 734 members

Data Model Questions

SilverStripe Forums » Data Model Questions » Permission at the field level

Moderators: martimiz, Sean, biapar, Willr, Ingo, swaiba, simon_w

Page: 1
Go to End
Author Topic: 666 Views
  • BenWu
    Avatar
    Community Member
    87 Posts

    Permission at the field level Link to this post

    I know that it is possible to setup permission at the Model or Action level using Permission::check or canEdit/canAdd/canDelete

    However, is it possible to setup database field level permission? So that fields are excluded from editing for front-end editing. Even 'hackers' tried to post the extra fields, it will be ignored. For example, if you got paid subscription model, you don't want the front end user to edit the Status field of the subscription.

    In the Yii framework, you can specify which fields are 'safe' or not. Is it possible to have the feature in SS ?

    Currently, I have to use a form validator to check current member's group to find out if he is allowed to do that or not.

    thanks!

  • swaiba
    Avatar
    Forum Moderator
    1784 Posts

    Re: Permission at the field level Link to this post

    Hi Ben,

    I've looked for this exact thing and it seems that it is going to have to be built... the plan I've got is to include the summary fields, edit fields and csv export fields along with can view/create/edit/delete DataObjects/fields. This is mostly working the only part left is to add it into SS - I've been waiting to switch to SS3 to make sure it is compatible there. This is one of many modules hoping to release this year...

    Anyway... Some useful links regarding security setup...

    http://www.silverstripe.org/security-extension-module/
    https://github.com/nyeholt/silverstripe-restrictedobjects
    http://www.silverstripe.org/simplify-module/
    https://github.com/silverstripe-labs/silverstripe-peruseraccess/blob/master/code/PerUserSiteTreeDecorator.php

  • BenWu
    Avatar
    Community Member
    87 Posts

    Re: Permission at the field level Link to this post

    Thanks for reply.

    What I am looking for is different from what your describe I think.

    Take this example in http://doc.silverstripe.org/framework/en/tutorials/3-forms

    class HomePage_Controller extends Page_Controller {
    // ...
    public function doBrowserPoll($data, $form) {
    $submission = new BrowserPollSubmission();
    $form->saveInto($submission);
    $submission->write();
    return $this->redirectBack();
    }
    }

    the

    $form->saveInto()


    has no checking whether the db fields are 'safe' to saved or not. If someone knows the db fields, he might inject something into $data and change the fields that I don't want them to change.

    Looking at the Yii Framework http://www.yiiframework.com/doc/api/1.1/CModel#safeAttributeNames-detail , there is something called 'safeattributes'. If a db field is not 'safe', the 'saveInto' method should ignore that field.

    Not sure SS3 got it already. It will be quite handy to have.

    regards,

  • martimiz
    Avatar
    Forum Moderator
    1067 Posts

    Re: Permission at the field level Link to this post

    I think if you would conditionally create some of the formfields as in

    if (checkcondition) $Fields->push(new ....

    Then they would either be part of the form or not, and regardless of what is posted, $form->saveInto($submission) would only add the fields you defined.

  • BenWu
    Avatar
    Community Member
    87 Posts

    Re: Permission at the field level Link to this post

    ok thank you. Is it possible some 'naughty boys' would inject something into $_GET/$_POST to the controller that processes the form? I think i still need to check whether thouse 'safe' fields are set by non-authorize users or not

  • BenWu
    Avatar
    Community Member
    87 Posts

    Re: Permission at the field level Link to this post

    ok thank you. Is it possible some 'naughty boys' would inject something into $_GET/$_POST to the controller that processes the form? I think i still need to check whether thouse 'safe' fields are set by non-authorize users or not

    666 Views
Page: 1
Go to Top

Want to know more about the company that brought you SilverStripe? Then check out SilverStripe.com

Comments on this website? Please give feedback.