Jump to:

23371 Posts in 18161 Topics by 2865 members

General Questions

SilverStripe Forums » General Questions » Security of selfmade customer center

General questions about getting started with SilverStripe that don't fit in any of the categories above.

Moderators: martimiz, Sean, biapar, Willr, Ingo, swaiba, simon_w

Page: 1
Go to End
Author Topic: 281 Views
  • cSGermany
    Avatar
    Community Member
    37 Posts

    Security of selfmade customer center Link to this post

    Hi folks,

    I've just created a kind of customer center on my ss 3.0.5 page.
    The code is quite simple but at first i'll tell you the page structure:

    My Holder is CustomerCenter with childpages CustomerPage. Each CustomerPage has a simple textfield called "CustomersEmailAddress"

    The CustomerPage contains all info for one customer. Invoices, downloads, informations and so on.

    CustomersEmailAddress contains the same e-mail address like the customers account.

    If got no registration form or something like this on my page. So I create the accounts for my customers.

    Ok, now let's go to the template code of CustomerCenter:

    <% loop Children %>
       <% if CustomersEmailAddress = CurrentMember.Email %>
          here are all the CustomerPage variables
       <% end_if %>
    <% end_loop %>

    With this method, the customer only gets the content of his CustomerPage.

    It works. BUT how secure is this?!
    Can someone tell me this or show me a better way to create a CustomerCenter?

    Thank you in advance

    cSGermany

  • cSGermany
    Avatar
    Community Member
    37 Posts

    Re: Security of selfmade customer center Link to this post

    Push!

  • Pigeon
    Avatar
    Community Member
    243 Posts

    Re: Security of selfmade customer center Link to this post

    It loss "fine"in terms of security, usually I'd use a has_one to link pages and members, rather than relying on the current users email address (which could change, so you'd need to change it twice if it did)

    Usually this kind of permission check should happen in the controller so you can throw an httpError.

    Eg:

    class CustomerCentre_Controller extends Page_Controller {

    ...

    public function index() {
    if ($customer = $this->Children()->filter("CustomerID", Member::currentUserID())->First()) {
    return $this->customise(array(
    "Customer" => $customer
    ));
    }
    return Security::permissionFailure($this);
    }

    ...

    }

    The above would allow you to do this in the template:

    <% if Customer %>
    <% with Customer %>
    ...
    <% end_with %>
    <% end_if %>

    Personally, I wouldn't be using child pages, I'd use "company" or "client" dataobjects that are linked to the Member objects and then just use an 'action' on the ClientCentre to show it like a page.

  • cSGermany
    Avatar
    Community Member
    37 Posts

    Re: Security of selfmade customer center Link to this post

    Hi Pigeon,
    thank you for your answer.

    So my method is more or less secure That's good to know!

    But i'll test your version. There's one question left. How do I link a customer to a page?

    Thank you in advance

    cSGermany

    281 Views
Page: 1
Go to Top

Want to know more about the company that brought you SilverStripe? Then check out SilverStripe.com

Comments on this website? Please give feedback.