Stave, To keep things simple as possible I would : Edit with a changed id should not save as new record, there is add() for that action.. Manipulating the id in the url should either redirect to index with a flash warning message or throw an error..
Andras On Aug 8, 2014, at 5:21 PM, Steve Thomas <smt9...@gmail.com> wrote: > Thanks Andras, I decided to do what you suggested with the condition. It > works. If a manager of one company is editing one of their employees and > decides to change the (id) in the address bar and the (id) belongs to an > employee of a different company, a blank edit form will appear. If they fill > out the form it simply adds another employee to their company roster. > I'm still amazed there isn't something in cakephp that solves it with a post. > > Thanks for youe help. > Steve Thomas > > On Friday, August 8, 2014 6:16:52 PM UTC-4, Andras Kende wrote: > You could add a condition like > > 'conditions' => array( > 'Employee.company_id' => $this->Auth->user('company_id') > ) > > So when changing the id in the url the application still only allows fetch > data which belongs to the same company.. > > The same applies for delete, just check before if current user has access to > the record to be deleted... > > If you need to hide id, then one option is to use uuid() as primary key. > > Andras > > On Aug 8, 2014, at 1:33 PM, Steve Thomas <smt...@gmail.com> wrote: > >> Thanks Mark, >> I am using ACL. So for example, if a role such as a manager can list all the >> employees of that company, it also adds the Action links (add) (edit) >> (delete). If this manager clicks to edit one of the employee (users), this >> is sent to the EDIT view via GET with the user id in the address bar - >> controller/method/id. All the manager would have to do is change the id in >> the address bar to access another user. Possibly a user from a different >> company which they shouldn't be able to access. >> It's generally not acceptable programming to send account id via GET because >> of this security breach. It should always be sent POST. However, the EDIT >> form submits to its self and therefore conflicts with other posts. >> I was hoping this is such a basic and common flaw that there would be an >> easy fix. >> I hope that cleared up what I'm trying to accomplish. >> Another example is the DELETE link on the same Action with EDIT and ADD uses >> postLink() to avoid the id being sent via GET in the address bar. However, >> the delete page doesn't have any other POST or self submissions and no >> conflicts. >> >> Thanks >> Steve >> >> On Friday, August 8, 2014 3:03:57 PM UTC-4, euromark wrote: >> I think you are confusing a few things here. >> GET/POST has nothing to do with what pages you can acess. >> You should use role (preferred) or row based access control to those forms >> and non-public actions. >> >> The type is revelant for what type of action you take. >> GET if it does not alter the database (view, index, add/edit for display of >> form) >> POST to alter the database (add/edit upon save, delete) >> >> mark >> >> >> Am Freitag, 8. August 2014 17:55:10 UTC+2 schrieb Steve Thomas: >> I'm wondering what everyone is doing about the default links. I'm setting up >> an application that has multiple companies with multiple employees. One >> company can't see another companies employees. >> However, if a manager can display a list of all their employees and edit >> them via GET, they can simply change the id in the address bar to pull up >> any arbitrary employee from their company or any other company. >> >> If I use a postLink, then the edit page opens blank because the >> setFlash(__('The user could not be saved. Please, try again.) is triggered >> before the find('list') can fill out the form. >> I'm only a couple weeks new to cakephp and am under the impression cakephp >> won't allow a is() to validate a particular post name so I can create >> actions based on which post is being submitted; self or a view. >> >> I tried to leave the link as GET and encrypt/decrypt, but that continued to >> fail. >> Please, any suggestions would be great. I can't imagine this security hole >> doesn't have an easy fix. I just haven't seen it yet. >> >> Thanks >> Steve >> >> >> -- >> Like Us on FaceBook https://www.facebook.com/CakePHP >> Find us on Twitter http://twitter.com/CakePHP >> >> --- >> You received this message because you are subscribed to the Google Groups >> "CakePHP" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to cake-php+u...@googlegroups.com. >> To post to this group, send email to cake...@googlegroups.com. >> Visit this group at http://groups.google.com/group/cake-php. >> For more options, visit https://groups.google.com/d/optout. > > > -- > Like Us on FaceBook https://www.facebook.com/CakePHP > Find us on Twitter http://twitter.com/CakePHP > > --- > You received this message because you are subscribed to the Google Groups > "CakePHP" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to cake-php+unsubscr...@googlegroups.com. > To post to this group, send email to cake-php@googlegroups.com. > Visit this group at http://groups.google.com/group/cake-php. > For more options, visit https://groups.google.com/d/optout. -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups "CakePHP" group. To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscr...@googlegroups.com. To post to this group, send email to cake-php@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php. For more options, visit https://groups.google.com/d/optout.