This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

We've moved the forum!

Please use forum.silverstripe.org for any new questions (announcement).
The forum archive will stick around, but will be read only.

You can also use our Slack channel or StackOverflow to ask for help.
Check out our community overview for more options to contribute.

Form Questions /

Moderators: martimiz, Sean, Ed, biapar, Willr, Ingo, swaiba

How to know which Form was used when a DataObject is saved?

1407 Views

Jare

Community Member, 39 Posts

6 June 2017 at 11:15pm

Hi,

I'm not sure if this is the correct category for this question. I have a DataObject upon which I have created an onBeforeWrite() method. Inside that method I need to somehow know where the current saving request came from. If I knew the Form that was used during the request, I could know which fields are available and which are not.

I can't just use Controller::curr()->getRequest()->postVars() to find out which fields were submitted because, well... that would create a security vulnerability. For example I might have an advanced form in the backend that has all kind of fields that are meant for administrators only. Then I might have a more simpler form in the frontend - designed for logged in users but not necessarily admins - that is supposed to change a small set of fields. In this case a hacker could add his own fields to the HTML form and she would be able to alter values that were not designed to be altered a) by non admins and/or b) from the frontend.

Another considerable way would be to check which Controller is currently in use. This way I could tell if the request originates from the backend or from the frontend. But I might need something more sophisticated just in case if there will be multiple forms inside the backend that would write stuff to this object.

Thanks for your support! :)

Return to top