Stave,
To keep things simple as possible I would :
Edit with a changed id should not save as new record, there is add() for that
action..
Manipulating the id in the url should either redirect to index with a flash
warning message or throw an error..
Andras
On Aug 8, 2014, at 5:21 PM, Steve Thomas <smt9...@gmail.com> wrote:
> Thanks Andras, I decided to do what you suggested with the condition. It
> works. If a manager of one company is editing one of their employees and
> decides to change the (id) in the address bar and the (id) belongs to an
> employee of a different company, a blank edit form will appear. If they fill
> out the form it simply adds another employee to their company roster.
> I'm still amazed there isn't something in cakephp that solves it with a post.
>
> Thanks for youe help.
> Steve Thomas
>
> On Friday, August 8, 2014 6:16:52 PM UTC-4, Andras Kende wrote:
> You could add a condition like
>
> 'conditions' => array(
> 'Employee.company_id' => $this->Auth->user('company_id')
> )
>
> So when changing the id in the url the application still only allows fetch
> data which belongs to the same company..
>
> The same applies for delete, just check before if current user has access to
> the record to be deleted...
>
> If you need to hide id, then one option is to use uuid() as primary key.
>
> Andras
>
> On Aug 8, 2014, at 1:33 PM, Steve Thomas <smt...@gmail.com> wrote:
>
>> Thanks Mark,
>> I am using ACL. So for example, if a role such as a manager can list all the
>> employees of that company, it also adds the Action links (add) (edit)
>> (delete). If this manager clicks to edit one of the employee (users), this
>> is sent to the EDIT view via GET with the user id in the address bar -
>> controller/method/id. All the manager would have to do is change the id in
>> the address bar to access another user. Possibly a user from a different
>> company which they shouldn't be able to access.
>> It's generally not acceptable programming to send account id via GET because
>> of this security breach. It should always be sent POST. However, the EDIT
>> form submits to its self and therefore conflicts with other posts.
>> I was hoping this is such a basic and common flaw that there would be an
>> easy fix.
>> I hope that cleared up what I'm trying to accomplish.
>> Another example is the DELETE link on the same Action with EDIT and ADD uses
>> postLink() to avoid the id being sent via GET in the address bar. However,
>> the delete page doesn't have any other POST or self submissions and no
>> conflicts.
>>
>> Thanks
>> Steve
>>
>> On Friday, August 8, 2014 3:03:57 PM UTC-4, euromark wrote:
>> I think you are confusing a few things here.
>> GET/POST has nothing to do with what pages you can acess.
>> You should use role (preferred) or row based access control to those forms
>> and non-public actions.
>>
>> The type is revelant for what type of action you take.
>> GET if it does not alter the database (view, index, add/edit for display of
>> form)
>> POST to alter the database (add/edit upon save, delete)
>>
>> mark
>>
>>
>> Am Freitag, 8. August 2014 17:55:10 UTC+2 schrieb Steve Thomas:
>> I'm wondering what everyone is doing about the default links. I'm setting up
>> an application that has multiple companies with multiple employees. One
>> company can't see another companies employees.
>> However, if a manager can display a list of all their employees and edit
>> them via GET, they can simply change the id in the address bar to pull up
>> any arbitrary employee from their company or any other company.
>>
>> If I use a postLink, then the edit page opens blank because the
>> setFlash(__('The user could not be saved. Please, try again.) is triggered
>> before the find('list') can fill out the form.
>> I'm only a couple weeks new to cakephp and am under the impression cakephp
>> won't allow a is() to validate a particular post name so I can create
>> actions based on which post is being submitted; self or a view.
>>
>> I tried to leave the link as GET and encrypt/decrypt, but that continued to
>> fail.
>> Please, any suggestions would be great. I can't imagine this security hole
>> doesn't have an easy fix. I just haven't seen it yet.
>>
>> Thanks
>> Steve
>>
>>
>> --
>> Like Us on FaceBook https://www.facebook.com/CakePHP
>> Find us on Twitter http://twitter.com/CakePHP
>>
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "CakePHP" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to cake-php+u...@googlegroups.com.
>> To post to this group, send email to cake...@googlegroups.com.
>> Visit this group at http://groups.google.com/group/cake-php.
>> For more options, visit https://groups.google.com/d/optout.
>
>
> --
> Like Us on FaceBook https://www.facebook.com/CakePHP
> Find us on Twitter http://twitter.com/CakePHP
>
> ---
> You received this message because you are subscribed to the Google Groups
> "CakePHP" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cake-php+unsubscr...@googlegroups.com.
> To post to this group, send email to cake-php@googlegroups.com.
> Visit this group at http://groups.google.com/group/cake-php.
> For more options, visit https://groups.google.com/d/optout.
--
Like Us on FaceBook https://www.facebook.com/CakePHP
Find us on Twitter http://twitter.com/CakePHP
---
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cake-php+unsubscr...@googlegroups.com.
To post to this group, send email to cake-php@googlegroups.com.
Visit this group at http://groups.google.com/group/cake-php.
For more options, visit https://groups.google.com/d/optout.
