Re: Auth: deleted user still logged in
That has already been said! On 10/17/2008, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > > When a user is removed from the Users table, remove them from ACL. > That way when (or if) they try and do something, ACL will deny them. > It doesn't matter that they are still logged in since they are logged > in as a user that can't do anything. Mark Story has a GREAT 3 part ACL > tutorial and there is data about that on the book too. The reason you > shouldn't check to see if their "disabled" or whatever flag you want > to use is, that will require an extra DB call on EVERY page which is > unfortunate for speed. If you take out their ACL nodes, there are > fewer DB requests in the case that the user doesn't have privileges to > do the requested action. > > So, in sum -- use ACL. > > On Oct 16, 5:57 am, on24nl <[EMAIL PROTECTED]> wrote: >> I found a small problem with the Auth component in my latest cake app: >> -User is logged in >> -I'm also logged in and I delete the other user >> -The other (now non-existing) user is still logged in! >> >> Why does Auth not check if a User also exists?! How to fix this? > > > -- Xavier A. Mathews Student/Developer/Web-Master GG Client Based Tech Support Specialist Hazel Crest Illinois [EMAIL PROTECTED] "Fear of a name, only increases fear of the thing itself." --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: Auth: deleted user still logged in
When a user is removed from the Users table, remove them from ACL. That way when (or if) they try and do something, ACL will deny them. It doesn't matter that they are still logged in since they are logged in as a user that can't do anything. Mark Story has a GREAT 3 part ACL tutorial and there is data about that on the book too. The reason you shouldn't check to see if their "disabled" or whatever flag you want to use is, that will require an extra DB call on EVERY page which is unfortunate for speed. If you take out their ACL nodes, there are fewer DB requests in the case that the user doesn't have privileges to do the requested action. So, in sum -- use ACL. On Oct 16, 5:57 am, on24nl <[EMAIL PROTECTED]> wrote: > I found a small problem with the Auth component in my latest cake app: > -User is logged in > -I'm also logged in and I delete the other user > -The other (now non-existing) user is still logged in! > > Why does Auth not check if a User also exists?! How to fix this? --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: Auth: deleted user still logged in
Both of the methods are the same only you use controller.
On 10/17/2008, Mathew <[EMAIL PROTECTED]> wrote:
>
> This is a security issue, and not an identity authentication issue.
>
> The Auth component is designed to make it easy to confirm someone's
> identity, but not to manage security or permissions for a website. You
> could use ACL or do it yourself.
>
> Anytime a user does something that requires a level of security you
> should always perform a security check to see if that user has
> permissions, and not rely on session data or cookies to cache those
> permission rights.
>
> Deleting a user from the Auth database is nothing more then erasing
> all history of that user's identity and every association will be
> broken. If they created documents, comments, or tasks that are linked.
> How will you know that user "xxx" was deleted?
>
> I would recommend adding a field to your user table called "role", and
> changing that role field to "disabled". Every action a user can
> perform should be verified that their role hasn't changed.
>
> In your AppController in the beforeFilter method you should do the
> following.
>
> $this->Auth->authorize = 'controller'
>
> This will tell the Auth component to call isAuthorized for every
> request to see if the user can perform the current action in a
> controller.
>
> It's in this method that you should look up the current user's role
> from the database, and make sure it's not equal to "disabled". If it
> is then you should perform a redirect to a message page explain their
> access has been restricted, and include information about why and who
> they should contact.
>
> For example, in my controller only users with the role of
> administrator can access admin pages.
>
> /**
>* Called by the Auth component to check if the user has access to
> the
>* current action.
>*/
> function isAuthorized()
> {
> // Check if the params contains the key admin
> if (isset($this->params[Configure::read('Routing.admin')]))
> {
> if ($this->Auth->user('role') !== 'admin')
> {
> return false;
> }
> }
> return true;
> }
>
> Now, my method uses the session information to validate the role.
> Which is fine for my website, but if you want real time status you can
> perform a simple find on the User table yourself.
> >
>
--
Xavier A. Mathews
Student/Developer/Web-Master
GG Client Based Tech Support Specialist
Hazel Crest Illinois
[EMAIL PROTECTED]
"Fear of a name, only increases fear of the thing itself."
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
-~--~~~~--~~--~--~---
Re: Auth: deleted user still logged in
This is a security issue, and not an identity authentication issue.
The Auth component is designed to make it easy to confirm someone's
identity, but not to manage security or permissions for a website. You
could use ACL or do it yourself.
Anytime a user does something that requires a level of security you
should always perform a security check to see if that user has
permissions, and not rely on session data or cookies to cache those
permission rights.
Deleting a user from the Auth database is nothing more then erasing
all history of that user's identity and every association will be
broken. If they created documents, comments, or tasks that are linked.
How will you know that user "xxx" was deleted?
I would recommend adding a field to your user table called "role", and
changing that role field to "disabled". Every action a user can
perform should be verified that their role hasn't changed.
In your AppController in the beforeFilter method you should do the
following.
$this->Auth->authorize = 'controller'
This will tell the Auth component to call isAuthorized for every
request to see if the user can perform the current action in a
controller.
It's in this method that you should look up the current user's role
from the database, and make sure it's not equal to "disabled". If it
is then you should perform a redirect to a message page explain their
access has been restricted, and include information about why and who
they should contact.
For example, in my controller only users with the role of
administrator can access admin pages.
/**
* Called by the Auth component to check if the user has access to
the
* current action.
*/
function isAuthorized()
{
// Check if the params contains the key admin
if (isset($this->params[Configure::read('Routing.admin')]))
{
if ($this->Auth->user('role') !== 'admin')
{
return false;
}
}
return true;
}
Now, my method uses the session information to validate the role.
Which is fine for my website, but if you want real time status you can
perform a simple find on the User table yourself.
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
-~--~~~~--~~--~--~---
Re: Auth: deleted user still logged in
The (not existing but still logged in) user should not have any access
at all!
I solved it by putting this into the AppController's beforeFilter:
if($checkuser = $this->Session->read('Auth.User.id'))
{
if( !$this->Auth->identify($checkuser) )
{
$this->Auth->logout();
}
}
On 16 okt, 21:42, James K <[EMAIL PROTECTED]> wrote:
> I disagree. That is an unnecessary query on every page - it's the
> reason we have session states.
>
> This is something that foreign key constrains can solve at the
> database level. The user shouldn't be able to submit or change any
> information if their user id does not exist.
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
-~--~~~~--~~--~--~---
Re: Auth: deleted user still logged in
Why not? On 10/16/2008, James K <[EMAIL PROTECTED]> wrote: > > I disagree. That is an unnecessary query on every page - it's the > reason we have session states. > > This is something that foreign key constrains can solve at the > database level. The user shouldn't be able to submit or change any > information if their user id does not exist. > > - James > > > On Oct 16, 12:39 pm, on24nl <[EMAIL PROTECTED]> wrote: >> That's the whole problem: how to sign him out? Cake should check if >> the user exists on each request. Otherwise this is a big security >> hole! >> >> On 16 okt, 18:33, [EMAIL PROTECTED] wrote: >> >> > Well it could be a little hack. When you delete the user make sure >> > that user is first sighed out or the information may still be there >> > allowing that user to delete you or change info. > > > -- Xavier A. Mathews Student/Developer/Web-Master GG Client Based Tech Support Specialist Hazel Crest Illinois [EMAIL PROTECTED] "Fear of a name, only increases fear of the thing itself." --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: Auth: deleted user still logged in
I disagree. That is an unnecessary query on every page - it's the reason we have session states. This is something that foreign key constrains can solve at the database level. The user shouldn't be able to submit or change any information if their user id does not exist. - James On Oct 16, 12:39 pm, on24nl <[EMAIL PROTECTED]> wrote: > That's the whole problem: how to sign him out? Cake should check if > the user exists on each request. Otherwise this is a big security > hole! > > On 16 okt, 18:33, [EMAIL PROTECTED] wrote: > > > Well it could be a little hack. When you delete the user make sure > > that user is first sighed out or the information may still be there > > allowing that user to delete you or change info. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: Auth: deleted user still logged in
Go under his account and delete him! Will that work? On 10/16/2008, on24nl <[EMAIL PROTECTED]> wrote: > > That's the whole problem: how to sign him out? Cake should check if > the user exists on each request. Otherwise this is a big security > hole! > > On 16 okt, 18:33, [EMAIL PROTECTED] wrote: >> Well it could be a little hack. When you delete the user make sure >> that user is first sighed out or the information may still be there >> allowing that user to delete you or change info. > > > > -- Xavier A. Mathews Student/Developer/Web-Master GG Client Based Tech Support Specialist Hazel Crest Illinois [EMAIL PROTECTED] "Fear of a name, only increases fear of the thing itself." --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: Auth: deleted user still logged in
That's the whole problem: how to sign him out? Cake should check if the user exists on each request. Otherwise this is a big security hole! On 16 okt, 18:33, [EMAIL PROTECTED] wrote: > Well it could be a little hack. When you delete the user make sure > that user is first sighed out or the information may still be there > allowing that user to delete you or change info. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: Auth: deleted user still logged in
Well it could be a little hack. When you delete the user make sure that user is first sighed out or the information may still be there allowing that user to delete you or change info. On 10/16/2008, on24nl <[EMAIL PROTECTED]> wrote: > > I found a small problem with the Auth component in my latest cake app: > -User is logged in > -I'm also logged in and I delete the other user > -The other (now non-existing) user is still logged in! > > Why does Auth not check if a User also exists?! How to fix this? > > > -- Xavier A. Mathews Student/Developer/Web-Master GG Client Based Tech Support Specialist Hazel Crest Illinois [EMAIL PROTECTED] "Fear of a name, only increases fear of the thing itself." --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
