Just as an addition, I just had a thought of maybe creating a 'secureParam'
object that you could use.
If i had a class that had __get/__set methods (acting as an array) I passed
as a param to the common action, I could then confirm the passed param was
an instance of that class?
Would it be possible to forge such a request?
T
On Fri, Nov 28, 2008 at 11:51, Tim Nagel <[EMAIL PROTECTED]> wrote:
> Hello,
>
> I have been using multiple actions to build some pages by offloading
> common code to their own actions. Works great in most circumstances.
> However, I have come across a "security" issue where when I include an
> action that could reveal sensitive information depending on the conditions
> passed.
>
> If I use $this->_getParam('showDeleted', false); in the common action, so
> that I can pass showDeleted=true in the _forward or actionstack, it can also
> be included in the URL for any action that references the same common
> action.
>
> I guess each action that uses a specific common action should specifically
> set such values, but its a hassle if you've got a huge number of params
> you're sending through.
>
> So, any suggestions? I'd really love to see a way of better communicating
> between actions without relying on the request object, but I've got no idea
> how it would be done, nor how to implement such a beast. (I also remember
> someone from Zend saying that it currently cant be done, but surely some of
> you are doing something similar! :-))
>
>
>
> Thanks
>
> Tim
>
