Log message #4115824

# At Username Text
# Feb 9th 2018, 05:08 kevin lol yeah I guess
# Feb 9th 2018, 05:07 ricksaccous well if there is a plugin I know about that I think will work well I'll use it but if I think it's simple enough I'll probably avoid the plugin
# Feb 9th 2018, 05:06 ricksaccous although I don't really follow my own advice tbh
# Feb 9th 2018, 05:06 ricksaccous best way to see if something is cake correct is just use a plugin for it, heh
# Feb 9th 2018, 05:06 kevin thats what im doing. im just making sure it was cake-correct
# Feb 9th 2018, 05:06 ricksaccous yep
# Feb 9th 2018, 05:06 kevin thank you @ricksaccous
# Feb 9th 2018, 05:05 kevin yeah I got it
# Feb 9th 2018, 05:02 ricksaccous just if the user is authorized for the action?
# Feb 9th 2018, 05:02 ricksaccous @jkarlmen out of curiosity how do you even set a link to be an "authorized link" in that plugin?
# Feb 9th 2018, 05:01 ricksaccous I'm not sure the best way to do it to be honest
# Feb 9th 2018, 05:00 ricksaccous so I'd probably do it in the edit method itself rather than isAuthorized just because it might be easier to check the record there, either that or have all id of widgets the user owns in isAuthorized and work it out there
# Feb 9th 2018, 04:59 ricksaccous but you could probably get the picture
# Feb 9th 2018, 04:59 ricksaccous probably not fully functional, heh
# Feb 9th 2018, 04:59 ricksaccous this is cakephp3 code btw
# Feb 9th 2018, 04:59 ricksaccous like i said i am not really sure what you are suggesting but I would do it like this WidgetsController.php { public function edit($id) { $widget = $this->Widgets->get('id); if ($widget->user_id !== $this->Auth->user('id') { $this->Flash->error(__('Not Authorized buddy'); $this->redirect()}}}
# Feb 9th 2018, 04:57 kevin or is there some cake php magic I should be using?
# Feb 9th 2018, 04:56 kevin so the method im using is the right method?
# Feb 9th 2018, 04:56 kevin yeah
# Feb 9th 2018, 04:56 ricksaccous redirect them to the index with a flash error
# Feb 9th 2018, 04:56 kevin yes thats the goal
# Feb 9th 2018, 04:56 ricksaccous if they are not the owner don't let them pull it up
# Feb 9th 2018, 04:56 ricksaccous well i'm saying in the controller action there
# Feb 9th 2018, 04:55 kevin if I were to just force browse to /Widgets/edit/<any number>, I would be able to pull it up
# Feb 9th 2018, 04:55 kevin insecure direct object reference
# Feb 9th 2018, 04:55 ricksaccous I don't know what IDOR is
# Feb 9th 2018, 04:54 ricksaccous so only edit and delete need that logic i think
# Feb 9th 2018, 04:54 kevin so im trying to avoid IDOR vulnerabilities
# Feb 9th 2018, 04:54 ricksaccous all of them could access the add widget page and you also have to make sure they aren't deleting other pplz widgets
# Feb 9th 2018, 04:53 ricksaccous i'm not sure what is better but i'd probably just query the index page per user, so only select their widgets, but also on edit pages just redirect them back to index if they are not the widget owner
# Feb 9th 2018, 04:53 ricksaccous i mean
# Feb 9th 2018, 04:50 kevin is that generally a good design? or should I be controlling auth differently?
# Feb 9th 2018, 04:50 slackebot authorized)
# Feb 9th 2018, 04:50 kevin I have an account section where people can add/view/edit their own Widgets. no one else should be able to view their Widgets. The controller is used by multiple (every) user, so for the isAuthorized, I put “if they have a valid session ID, let them view the page”, but for the Widget’s list, I am adding specific logic to say “SELECT owner FROM widget_db WHERE owner = $id”. If that fails, I redirec the user to the home page and Flash->e
# Feb 9th 2018, 04:47 ricksaccous lol
# Feb 9th 2018, 04:47 ricksaccous just ask
# Feb 9th 2018, 04:47 kevin can I get some architecture advice?
# Feb 9th 2018, 04:47 jkarlmen huh ... i've been working on this for two days and it just hit me. I haven't setup any authorization stuff ... maybe it defaults to not authorizing anything
# Feb 9th 2018, 04:46 jkarlmen for some reason it only works in the app root
# Feb 9th 2018, 04:46 jkarlmen it's supposed to check if a user is authorized to see a link and then show a link or not
# Feb 9th 2018, 04:45 jkarlmen and that uses another helper called AuthLink