| # |
Feb 9th 2018, 05:13 |
 kevin |
that should create the whole form, right> |
| # |
Feb 9th 2018, 05:13 |
kevin |
if I do $widget = $this->Widget->get($id); $this->set(‘widget’, $widget); then in the view, I did $this->Form->create($widget); |
| # |
Feb 9th 2018, 05:09 |
ricksaccous |
It has something to do with security or something, lol |
| # |
Feb 9th 2018, 05:09 |
ricksaccous |
be sure to use h() when spitting out entity values |
| # |
Feb 9th 2018, 05:09 |
kevin |
3.5, yes |
| # |
Feb 9th 2018, 05:08 |
ricksaccous |
are you using cake3? |
| # |
Feb 9th 2018, 05:08 |
kevin |
im a pentester by trade now, so I am a stickler for security :P |
| # |
Feb 9th 2018, 05:08 |
kevin |
i like using the framework for the added security protections |
| # |
Feb 9th 2018, 05:08 |
kevin |
lol yeah I guess |
| # |
Feb 9th 2018, 05:07 |
ricksaccous |
well if there is a plugin I know about that I think will work well I'll use it but if I think it's simple enough I'll probably avoid the plugin |
| # |
Feb 9th 2018, 05:06 |
ricksaccous |
although I don't really follow my own advice tbh |
| # |
Feb 9th 2018, 05:06 |
ricksaccous |
best way to see if something is cake correct is just use a plugin for it, heh |
| # |
Feb 9th 2018, 05:06 |
kevin |
thats what im doing. im just making sure it was cake-correct |
| # |
Feb 9th 2018, 05:06 |
ricksaccous |
yep |
| # |
Feb 9th 2018, 05:06 |
kevin |
thank you @ricksaccous |
| # |
Feb 9th 2018, 05:05 |
kevin |
yeah I got it |
| # |
Feb 9th 2018, 05:02 |
ricksaccous |
just if the user is authorized for the action? |
| # |
Feb 9th 2018, 05:02 |
ricksaccous |
@jkarlmen out of curiosity how do you even set a link to be an "authorized link" in that plugin? |
| # |
Feb 9th 2018, 05:01 |
ricksaccous |
I'm not sure the best way to do it to be honest |
| # |
Feb 9th 2018, 05:00 |
ricksaccous |
so I'd probably do it in the edit method itself rather than isAuthorized just because it might be easier to check the record there, either that or have all id of widgets the user owns in isAuthorized and work it out there |
| # |
Feb 9th 2018, 04:59 |
ricksaccous |
but you could probably get the picture |
| # |
Feb 9th 2018, 04:59 |
ricksaccous |
probably not fully functional, heh |
| # |
Feb 9th 2018, 04:59 |
ricksaccous |
this is cakephp3 code btw |
| # |
Feb 9th 2018, 04:59 |
ricksaccous |
like i said i am not really sure what you are suggesting but I would do it like this WidgetsController.php { public function edit($id) { $widget = $this->Widgets->get('id); if ($widget->user_id !== $this->Auth->user('id') { $this->Flash->error(__('Not Authorized buddy'); $this->redirect()}}} |
| # |
Feb 9th 2018, 04:57 |
kevin |
or is there some cake php magic I should be using? |
| # |
Feb 9th 2018, 04:56 |
kevin |
so the method im using is the right method? |
| # |
Feb 9th 2018, 04:56 |
kevin |
yeah |
| # |
Feb 9th 2018, 04:56 |
ricksaccous |
redirect them to the index with a flash error |
| # |
Feb 9th 2018, 04:56 |
kevin |
yes thats the goal |
| # |
Feb 9th 2018, 04:56 |
ricksaccous |
if they are not the owner don't let them pull it up |
| # |
Feb 9th 2018, 04:56 |
ricksaccous |
well i'm saying in the controller action there |
| # |
Feb 9th 2018, 04:55 |
kevin |
if I were to just force browse to /Widgets/edit/<any number>, I would be able to pull it up |
| # |
Feb 9th 2018, 04:55 |
kevin |
insecure direct object reference |
| # |
Feb 9th 2018, 04:55 |
ricksaccous |
I don't know what IDOR is |
| # |
Feb 9th 2018, 04:54 |
ricksaccous |
so only edit and delete need that logic i think |
| # |
Feb 9th 2018, 04:54 |
kevin |
so im trying to avoid IDOR vulnerabilities |
| # |
Feb 9th 2018, 04:54 |
ricksaccous |
all of them could access the add widget page and you also have to make sure they aren't deleting other pplz widgets |
| # |
Feb 9th 2018, 04:53 |
ricksaccous |
i'm not sure what is better but i'd probably just query the index page per user, so only select their widgets, but also on edit pages just redirect them back to index if they are not the widget owner |
| # |
Feb 9th 2018, 04:53 |
ricksaccous |
i mean |
| # |
Feb 9th 2018, 04:50 |
kevin |
is that generally a good design? or should I be controlling auth differently? |
| # |
Feb 9th 2018, 04:50 |
slackebot |
authorized) |