I am using Symfony 1.4, sfDoctrineGuardPlugin.
On my backend app, users can reach a page which they cannot actually by changing url manually. Is there any way to stop it?
Lets say, every author can just reach their own data normally. But if they change id on url they can edit which article the开发者_如何学Goy want. I searched on the internet but cannot find any solution for it? Do you know a way?
Thanks a lot.
By just hiding things that doesn't belong to a particular author you can't protect them from being edited or deleted.
Overload executeEdit
/executeUpdate
/executeDelete
actions in your backend modules to avoid unauthorized management.
Something like:
public function executeEdit(sfWebRequest $request) {
...
$this->forward404Unless($this->article->belongsTo($me));
...
}
In addition, you can check for proper credentials. It's useful when you want to some user groups to access some special content, or content of another users.
Hope that helps.
you have to make a relation between article and authors. I presume there is already one, so the best approach is to override doSelect method in ArticlePeer to check with Author. Just add a criteria to select articles belongs to the current user.
精彩评论