SecurityComponent does not do much for Ajax requests. At least not in
that way.
I use $this->Post-del($id) less and less. Instead I use deleteAll() in
this way:
$this->Post->deleteAll(array(
'Post.id' => $id,
'Post.author_id'=>$auth_user_id
),true,true);
This will ensure that a user can only delete their own posts... ajax
or plain request does not matter. SecurityComponent can not take care
of all your security even without ajax and deleting with conditions is
a good way to limit the possible damage.
On Apr 21, 6:04 am, "Dave Maharaj :: WidePixels.com"
<d...@widepixels.com> wrote:
> I have just been messing around with my app and changing values in Ajax
> links with Firebug to see what happens...sure enough I can be logged in as
> user 1 and thru an Ajax form delete a post by User 2. Been reading about the
> Security Component but seems from what I have found is that it does not work
> with AJAX requests. Is this true? What is the best way to secure an app by
> preventing people from using Firebug to edit the code and submit/edit/delete
> info?
>
> I have general if this Auth User('id') = $this type setup for users/owners
> and so on but how can you prevent the data in forms from being manipulated?
>
> Thanks,
>
> Dave
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
-~----------~----~----~----~------~----~------~--~---
