# |
Feb 9th 2018, 05:08 |
kevin |
im a pentester by trade now, so I am a stickler for security :P |
# |
Feb 9th 2018, 05:08 |
kevin |
i like using the framework for the added security protections |
# |
Feb 9th 2018, 05:08 |
kevin |
lol yeah I guess |
# |
Feb 9th 2018, 05:07 |
ricksaccous |
well if there is a plugin I know about that I think will work well I'll use it but if I think it's simple enough I'll probably avoid the plugin |
# |
Feb 9th 2018, 05:06 |
ricksaccous |
although I don't really follow my own advice tbh |
# |
Feb 9th 2018, 05:06 |
ricksaccous |
best way to see if something is cake correct is just use a plugin for it, heh |
# |
Feb 9th 2018, 05:06 |
kevin |
thats what im doing. im just making sure it was cake-correct |
# |
Feb 9th 2018, 05:06 |
ricksaccous |
yep |
# |
Feb 9th 2018, 05:06 |
kevin |
thank you @ricksaccous |
# |
Feb 9th 2018, 05:05 |
kevin |
yeah I got it |
# |
Feb 9th 2018, 05:02 |
ricksaccous |
just if the user is authorized for the action? |
# |
Feb 9th 2018, 05:02 |
ricksaccous |
@jkarlmen out of curiosity how do you even set a link to be an "authorized link" in that plugin? |
# |
Feb 9th 2018, 05:01 |
ricksaccous |
I'm not sure the best way to do it to be honest |
# |
Feb 9th 2018, 05:00 |
ricksaccous |
so I'd probably do it in the edit method itself rather than isAuthorized just because it might be easier to check the record there, either that or have all id of widgets the user owns in isAuthorized and work it out there |
# |
Feb 9th 2018, 04:59 |
ricksaccous |
but you could probably get the picture |
# |
Feb 9th 2018, 04:59 |
ricksaccous |
probably not fully functional, heh |
# |
Feb 9th 2018, 04:59 |
ricksaccous |
this is cakephp3 code btw |
# |
Feb 9th 2018, 04:59 |
ricksaccous |
like i said i am not really sure what you are suggesting but I would do it like this WidgetsController.php { public function edit($id) { $widget = $this->Widgets->get('id); if ($widget->user_id !== $this->Auth->user('id') { $this->Flash->error(__('Not Authorized buddy'); $this->redirect()}}} |
# |
Feb 9th 2018, 04:57 |
kevin |
or is there some cake php magic I should be using? |
# |
Feb 9th 2018, 04:56 |
kevin |
so the method im using is the right method? |
# |
Feb 9th 2018, 04:56 |
kevin |
yeah |
# |
Feb 9th 2018, 04:56 |
ricksaccous |
redirect them to the index with a flash error |
# |
Feb 9th 2018, 04:56 |
kevin |
yes thats the goal |
# |
Feb 9th 2018, 04:56 |
ricksaccous |
if they are not the owner don't let them pull it up |
# |
Feb 9th 2018, 04:56 |
ricksaccous |
well i'm saying in the controller action there |
# |
Feb 9th 2018, 04:55 |
kevin |
if I were to just force browse to /Widgets/edit/<any number>, I would be able to pull it up |
# |
Feb 9th 2018, 04:55 |
kevin |
insecure direct object reference |
# |
Feb 9th 2018, 04:55 |
ricksaccous |
I don't know what IDOR is |
# |
Feb 9th 2018, 04:54 |
ricksaccous |
so only edit and delete need that logic i think |
# |
Feb 9th 2018, 04:54 |
kevin |
so im trying to avoid IDOR vulnerabilities |
# |
Feb 9th 2018, 04:54 |
ricksaccous |
all of them could access the add widget page and you also have to make sure they aren't deleting other pplz widgets |
# |
Feb 9th 2018, 04:53 |
ricksaccous |
i'm not sure what is better but i'd probably just query the index page per user, so only select their widgets, but also on edit pages just redirect them back to index if they are not the widget owner |
# |
Feb 9th 2018, 04:53 |
ricksaccous |
i mean |
# |
Feb 9th 2018, 04:50 |
kevin |
is that generally a good design? or should I be controlling auth differently? |
# |
Feb 9th 2018, 04:50 |
slackebot |
authorized) |
# |
Feb 9th 2018, 04:50 |
kevin |
I have an account section where people can add/view/edit their own Widgets. no one else should be able to view their Widgets. The controller is used by multiple (every) user, so for the isAuthorized, I put “if they have a valid session ID, let them view the page”, but for the Widget’s list, I am adding specific logic to say “SELECT owner FROM widget_db WHERE owner = $id”. If that fails, I redirec the user to the home page and Flash->e |
# |
Feb 9th 2018, 04:47 |
ricksaccous |
lol |
# |
Feb 9th 2018, 04:47 |
ricksaccous |
just ask |
# |
Feb 9th 2018, 04:47 |
kevin |
can I get some architecture advice? |
# |
Feb 9th 2018, 04:47 |
jkarlmen |
huh ... i've been working on this for two days and it just hit me. I haven't setup any authorization stuff ... maybe it defaults to not authorizing anything |
# |
Feb 9th 2018, 04:46 |
jkarlmen |
for some reason it only works in the app root |