Just as an addition, I just had a thought of maybe creating a 'secureParam' object that you could use.
If i had a class that had __get/__set methods (acting as an array) I passed as a param to the common action, I could then confirm the passed param was an instance of that class? Would it be possible to forge such a request? T On Fri, Nov 28, 2008 at 11:51, Tim Nagel <[EMAIL PROTECTED]> wrote: > Hello, > > I have been using multiple actions to build some pages by offloading > common code to their own actions. Works great in most circumstances. > However, I have come across a "security" issue where when I include an > action that could reveal sensitive information depending on the conditions > passed. > > If I use $this->_getParam('showDeleted', false); in the common action, so > that I can pass showDeleted=true in the _forward or actionstack, it can also > be included in the URL for any action that references the same common > action. > > I guess each action that uses a specific common action should specifically > set such values, but its a hassle if you've got a huge number of params > you're sending through. > > So, any suggestions? I'd really love to see a way of better communicating > between actions without relying on the request object, but I've got no idea > how it would be done, nor how to implement such a beast. (I also remember > someone from Zend saying that it currently cant be done, but surely some of > you are doing something similar! :-)) > > > > Thanks > > Tim >