| # |
Feb 9th 2018, 04:57 |
 kevin |
or is there some cake php magic I should be using? |
| # |
Feb 9th 2018, 04:56 |
kevin |
so the method im using is the right method? |
| # |
Feb 9th 2018, 04:56 |
kevin |
yeah |
| # |
Feb 9th 2018, 04:56 |
ricksaccous |
redirect them to the index with a flash error |
| # |
Feb 9th 2018, 04:56 |
kevin |
yes thats the goal |
| # |
Feb 9th 2018, 04:56 |
ricksaccous |
if they are not the owner don't let them pull it up |
| # |
Feb 9th 2018, 04:56 |
ricksaccous |
well i'm saying in the controller action there |
| # |
Feb 9th 2018, 04:55 |
kevin |
if I were to just force browse to /Widgets/edit/<any number>, I would be able to pull it up |
| # |
Feb 9th 2018, 04:55 |
kevin |
insecure direct object reference |
| # |
Feb 9th 2018, 04:55 |
ricksaccous |
I don't know what IDOR is |
| # |
Feb 9th 2018, 04:54 |
ricksaccous |
so only edit and delete need that logic i think |
| # |
Feb 9th 2018, 04:54 |
kevin |
so im trying to avoid IDOR vulnerabilities |
| # |
Feb 9th 2018, 04:54 |
ricksaccous |
all of them could access the add widget page and you also have to make sure they aren't deleting other pplz widgets |
| # |
Feb 9th 2018, 04:53 |
ricksaccous |
i'm not sure what is better but i'd probably just query the index page per user, so only select their widgets, but also on edit pages just redirect them back to index if they are not the widget owner |
| # |
Feb 9th 2018, 04:53 |
ricksaccous |
i mean |
| # |
Feb 9th 2018, 04:50 |
kevin |
is that generally a good design? or should I be controlling auth differently? |
| # |
Feb 9th 2018, 04:50 |
slackebot |
authorized) |
| # |
Feb 9th 2018, 04:50 |
kevin |
I have an account section where people can add/view/edit their own Widgets. no one else should be able to view their Widgets. The controller is used by multiple (every) user, so for the isAuthorized, I put “if they have a valid session ID, let them view the page”, but for the Widget’s list, I am adding specific logic to say “SELECT owner FROM widget_db WHERE owner = $id”. If that fails, I redirec the user to the home page and Flash->e |
| # |
Feb 9th 2018, 04:47 |
ricksaccous |
lol |
| # |
Feb 9th 2018, 04:47 |
ricksaccous |
just ask |
| # |
Feb 9th 2018, 04:47 |
kevin |
can I get some architecture advice? |
| # |
Feb 9th 2018, 04:47 |
jkarlmen |
huh ... i've been working on this for two days and it just hit me. I haven't setup any authorization stuff ... maybe it defaults to not authorizing anything |
| # |
Feb 9th 2018, 04:46 |
jkarlmen |
for some reason it only works in the app root |
| # |
Feb 9th 2018, 04:46 |
jkarlmen |
it's supposed to check if a user is authorized to see a link and then show a link or not |
| # |
Feb 9th 2018, 04:45 |
jkarlmen |
and that uses another helper called AuthLink |
| # |
Feb 9th 2018, 04:45 |
jkarlmen |
yeah ... it has a helper called UserHelper |
| # |
Feb 9th 2018, 04:45 |
ricksaccous |
authlink? |
| # |
Feb 9th 2018, 04:45 |
jkarlmen |
having issues authlink |
| # |
Feb 9th 2018, 04:44 |
jkarlmen |
I am having a hard time finding information on it and I have pinged their github, reddit, searched their wikis and the internet in general ... out of ideas |
| # |
Feb 9th 2018, 04:43 |
jkarlmen |
that's alright |
| # |
Feb 9th 2018, 04:41 |
ricksaccous |
@kevin no problem |
| # |
Feb 9th 2018, 04:41 |
ricksaccous |
@jkarlmen sorry i'm not too familiar with that plugin |
| # |
Feb 9th 2018, 04:41 |
kevin |
thank you |
| # |
Feb 9th 2018, 04:41 |
ricksaccous |
alright dyud |
| # |
Feb 9th 2018, 04:40 |
kevin |
so im trying to get back into it |
| # |
Feb 9th 2018, 04:40 |
kevin |
I developed 10 apps, equaling 10million lines of code in cakephp, but that was about 7 years ago |
| # |
Feb 9th 2018, 04:40 |
ricksaccous |
ex ChickensController {function editChicken($id) { debug($id); exit;}} |
| # |
Feb 9th 2018, 04:40 |
kevin |
thanks |
| # |
Feb 9th 2018, 04:40 |
kevin |
yeah I found it cause im dumb |
| # |
Feb 9th 2018, 04:39 |
jkarlmen |
sorry about that |
| # |
Feb 9th 2018, 04:39 |
ricksaccous |
the controller method action takes the parameter |