Skip to main content

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

We've moved the forum!

Please use forum.silverstripe.org for any new questions (announcement).
The forum archive will stick around, but will be read only.

You can also use our Slack channel or StackOverflow to ask for help.
Check out our community overview for more options to contribute.

General Questions /

General questions about getting started with SilverStripe that don't fit in any of the categories above.

Moderators: martimiz, Sean, Ed, biapar, Willr, Ingo, swaiba

Security of selfmade customer center


Go to End


4 Posts   716 Views

Avatar
cSGermany

Community Member, 37 Posts

28 July 2013 at 2:10am

Hi folks,

I've just created a kind of customer center on my ss 3.0.5 page.
The code is quite simple but at first i'll tell you the page structure:

My Holder is CustomerCenter with childpages CustomerPage. Each CustomerPage has a simple textfield called "CustomersEmailAddress"

The CustomerPage contains all info for one customer. Invoices, downloads, informations and so on.

CustomersEmailAddress contains the same e-mail address like the customers account.

If got no registration form or something like this on my page. So I create the accounts for my customers.

Ok, now let's go to the template code of CustomerCenter:

<% loop Children %>
	<% if CustomersEmailAddress = CurrentMember.Email %>
		here are all the CustomerPage variables
	<% end_if %>
<% end_loop %>

With this method, the customer only gets the content of his CustomerPage.

It works. BUT how secure is this?!
Can someone tell me this or show me a better way to create a CustomerCenter?

Thank you in advance

cSGermany

Avatar
cSGermany

Community Member, 37 Posts

29 July 2013 at 6:01pm

Push! :)

Avatar
dhensby

Community Member, 253 Posts

29 July 2013 at 6:26pm

Edited: 29/07/2013 7:15pm

It loss "fine"in terms of security, usually I'd use a has_one to link pages and members, rather than relying on the current users email address (which could change, so you'd need to change it twice if it did)

Usually this kind of permission check should happen in the controller so you can throw an httpError.

Eg:

class CustomerCentre_Controller extends Page_Controller {

    ...

    public function index() {
        if ($customer = $this->Children()->filter("CustomerID",  Member::currentUserID())->First()) {
            return $this->customise(array(
                "Customer" => $customer
            ));
        }
        return Security::permissionFailure($this);
    }

    ...

}

The above would allow you to do this in the template:

<% if Customer %>
    <% with Customer %>
        ...
    <% end_with %>
<% end_if %>

Personally, I wouldn't be using child pages, I'd use "company" or "client" dataobjects that are linked to the Member objects and then just use an 'action' on the ClientCentre to show it like a page.

Avatar
cSGermany

Community Member, 37 Posts

30 July 2013 at 9:00pm

Hi Pigeon,
thank you for your answer.

So my method is more or less secure :D That's good to know!

But i'll test your version. There's one question left. How do I link a customer to a page?

Thank you in advance

cSGermany