On 21 Mar 2009, at 11:40, Alan Bem wrote:
> On Sat, Mar 21, 2009 at 12:05 PM, Lee Bolding <l...@leesbian.net> > wrote: > > is it even possible to overwrite $_SERVER['REMOTE_ADDR']? I'll try it > later on. > > Of course - its a variable. Yup, I tested it - you can. I never thought of that before. I always assumed (hoped?) the Zend Engine would somehow make environment variables read-only. > If you ask me, that "auditing" is not responsibility of model as well. There was a bunch of debates about this very subject years ago when the Spring framework was still very young. There's two schools of thought - one that says auditing should be flexible, and applied by - ideally - a (cross-cutting) aspect. The other that believes an aspect isn't secure, and the DAO layer should be secured/self auditing. Usually, this is achieved by having the models you want audited extend an auditable class or implement an auditable interface. There's some good disucssions about these issues : http://forum.springsource.org/showthread.php?p=229757 http://cagataycivici.wordpress.com/2006/07/03/aspect_oriented_audit_logging_with/ Ofcourse, you also need to decide what exactly it is that you are auditing - who changed what, when? from what, to what? what URL and params did they use? what roles and permissions were in effect when they did? are you auditing CHANGE of data, ACCESS to data or both? etc To be honest, I haven't looked too closely into "proper" auditing with Symfony. But as you can see from the conversation so far, it's a pretty deep subject with a lot to consider - it's not just about saving the users IP address in a table ;) I know Doctrine has some auditing capabilities, so could be worth checking those out - but obviously that falls into the second school of thought, not the first. "proper" auditing is probably a plugin that could do with being created... which could dovetail quite nicely with a chain-of-custody plugin. If there were more hours in the day... --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "symfony users" group. To post to this group, send email to symfony-users@googlegroups.com To unsubscribe from this group, send email to symfony-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/symfony-users?hl=en -~----------~----~----~----~------~----~------~--~---
