I want to protect certain methods in my application such as publish, unpublish, and close. By protection I don't mean user authorisation but rather the ability to call the method in a certain way.
I have thought about FORCING the methods to be called using POST rather than GET so that a person can't just paste the URL in the address (even though I could just check the user id of the person doing it). However this means wrapping each button in a different form for each method call.
Alternatively I could use a GUID to allow the GET method but make sure it only allows the correct person to do the function.
Any thoughts ideas on this?
So far I have tried:
function publish($id = null)
{
$post = $this->Post->find('first',array('conditions'=>array('Post.id'=>Tiny::reverseTiny($id))));
if ($this->request->is('post') || $this->request->is('put'))
{
$this->Post->id = $post['Post']['id'];
$this->Post->saveField('status', 1);
$this->Session->setFlash('Your post has been published!');
$this->redirect(array('controller'=>'posts','action'=>'view','id'=>Tiny::toTiny($post['Post']['id'])));
}
else
{
die('GET METHOD NOT ALLOWED');
}
}
But as stated above that means the link/button for this method would need be in a form containing the action call to this method. And If I have several methods I would need several forms...
Cheers
One way I have thought about is allowing the get method and then checking the user id of the post compared with the logged in user id like so:
if ($this->request->is('get'))
{
if($post['Post']['user_id'] != $this->Auth->user('id'))
{
$this->Session->setFlash('You don\'t have permission to edit that post!');
$this->redirect(array('controller' => 'posts', 'action' => 'index'));
}
else
{
$this->Post->id = $post['Post']['id'];
$this->Post->saveField('status', 1);
$this->Session->setFlash('Your post has been published!');
$this->redirect(array('controller'=>'posts','action'=>'view','id'=>Tiny::toTiny($post['Post']['id'])));
}
}
Is this good practice?
(Assuming CakePHP 2.0 here)
Firstly, rather than calling die on a Post/Get check. Throw an exception, exceptions in cake are wonderful (Exceptions):
if (!$this->request->is('get')) {
throw new MethodNotAllowedException();
}
Cake also provides a way to generate a link to delete (via post) in your template.
<?php echo $this->Form->postLink('Delete',
array('action' => 'delete', $post['Post']['id']),
array('confirm' => 'Are you sure?'));
?>
Edit (Link): postLink
This is my first answer in a Stack Overflow. Hope it was helpful.
It sounds like you need ACL or some form of permissions if you want to only allow certain users to perform the function. The reason you wouldn't use something like you have posted ( if($post['Post']['user_id'] != $this->Auth->user('id')) ) is because you will end up replicating that code in a lot of functions through out your code base. That is very sloppy.
However, you only want to make sure that the submission was submitted in a specific manner, then the throw error method is the way to go. And you should be able to keep the submission inside the same function like so:
public function publish($id = null) {
if (!$id || !$this->request->is('get') || !$this->request->is('post') || !$this->request->is('put')) {
throw new MethodNotAllowedException();
}
if ($this->request->is('post') || $this->request->is('put')) {
$this->Post->id = $post['Post']['id'];
$this->Post->saveField('status', 1);
$this->Session->setFlash('Your post has been published!');
$this->redirect(array('controller'=>'posts','action'=>'view','id'=>Tiny::toTiny($post['Post']['id'])));
}
if ($this->request->is('get')) {
// perform your get request here
}
}
With minimal code
$this->request->allowMethod('post');
Related
I have just installed codoforum (https://codoforum.com)
and want to use this feature https://codoforum.com/documentation/implementing-codoforum-sso
which consist of integrating Single Sign on in my website.
The website I which to integrate the forum into it is using Yii 1 Framework, I am not familiar with it unfortunately.
Following the documentation of codoforum, I filled in the configuation form and enabled the SSO plugin, what I should do now is complete the file client.php here : https://github.com/evnix/codoforum-sso.
Especially those lines :
if (USER_IS_LOGGED_IN) {
$account['uid'] = USERID; //Your logged in user's userid
$account['name'] = USERNAME; //Your logged in user's username
$account['mail'] = EMAILID; //Your logged in user's email id
$account['avatar'] = ''; //not used as of now
}
I filled in those filled manually and it worked, It detects if I am already connected to yii1 website and connect me to the forum using the email I provided.
What I want now is to get those information using the session, I put the file clien.php in the root of my website mywebsite.com/client.php
I have done some research and I found that this method in siteController is responsible for logging :
public function actionLogin() {
$model = new LoginForm;
// if it is ajax validation request
if (isset($_POST['ajax']) && $_POST['ajax'] === 'login-form') {
echo CActiveForm::validate($model);
Yii::app()->end();
}
// collect user input data
if (isset($_POST['LoginForm'])) {
$model->attributes = $_POST['LoginForm'];
// validate user input and redirect to the previous page if valid
if ($model->validate() && $model->login()) {
if (Yii::app()->session['type'] == 1 ) {
$this->redirect(Yii::app()->homeUrl . 'administration/team');
}else if (Yii::app()->session['type'] == 2 ) {
$this->redirect(Yii::app()->homeUrl . 'agenda');
} else {
$this->redirect(Yii::app()->homeUrl);
}
}
}
// display the login form
$this->render('login', array('model' => $model));
}
I have tried to add this code :
session_start();
$_SESSION['username']=$model->username;
(after : if ($model->validate() && $model->login()))
and use $_Session in the file client.php but it didn't work.
The problem is that I have no idea how yii1 framework work, and it will take me sometime to be familiar with it, I know that there is session in Yii1, but I don't know how to use it and where to put the file client.php and how can I make it detect the Yii Session.
But if I can use the global session it would be better.
Thank you so much for your time and your answer.
I'm working on custom module and in my IndexController.php I'd written this function to add user to database
public function addAction() {
if($this->getRequest()->getParam('name', '') == ''){
$this->_redirect('etech/user');
//die; or exit;
}
$form = $this->getRequest()->getParams();
$user = Mage::getModel('test/test');
foreach ($form as $key => $val){
$user->setData($key, $val);
}
try{
$user->save();
}catch(Exception $e){
print_r($e);
}
$this->_redirect('etech/user', array('msg'=>'success'));
}
I want to prevent users from accessing this url directly as www.example.com/index.php/etech/user/add/. For this I'd made a check if($this->getRequest()->getParam('name', '') == ''){}. The redirect is working well except the code in there keeps executing and user sees a success message which should not be seen. For this, I'd used old fashioned exit or die to stop executing the code then it doesn't even redirect.
What is the magento way to handle it? Also, as I'm using getRequest()->getParams(), it return both parameters either in get or post. Isn't any way out to get only post parametrs?
It is correct to use $this->_redirect(), but you must follow it up with a return, ideally return $this;. You could also use exit or die, as you have been doing, but as I'm sure you know it would be better to let Magento do whatever it wants to do before redirecting you.
As long as you return immediately after $this->_redirect(), you won't have any issues.
Edit: And as for the request params question, I think you can call something like $this->getRequest()->getPostData() (that was false). The general convention is to use getParams() regardless of whether the data was sent via GET or POST, because technically your code shouldn't be concerned about that.
Edit #2:
If the general convention doesn't apply and you desperately need to restrict access to your page based on POST vs. GET, here's a handy snippet from Mohammad:
public function addAction()
{
if ($this->getRequest()->isPost()) {
// echo 'post'; do your stuff
} else {
// echo 'get'; redirect
}
}
I am making a system using CakePHP in which the users can be either A, B or C. Like student, teacher and some other role. Is it possible to let them all login via 1 link? so not /students/login and /teachers/login, but something like www.somewebsite/login for all of them?
Read this tutorial, it exactly covers what you're asking for. Also read this section.
It does not make any sense at all to have different controllers for different types of users, you'll just duplicate code. If you need to take different actions based on the role you can do that within your login method by calling another method like afterStudentLogin() from within your login() method and do role specific things there. The reason for that is that a single method should always just do one task, so you decouple the role specific code from it in a separate method.
public function login() {
if ($this->Auth->user()) {
/* ... */
$callback = 'after' . $this->Auth->user('role') . 'Login');
$this->{$callback}($this->Auth->user());
/* ... */
}
}
Even if the user types are very different, they all will share a common thing: The login. In this case have an users table and for example student_profils table and teacher_profiles table. If the difference is just a few fields I would put them all in one table like profiles.
If you want to have /login instead of /users/login you should use routing.
Router::connect(
'/login',
array(
'controller' => 'users',
'action' => 'login'
)
);
You can also take a look at this Users plugin which covers a lot of the usual user related tasks. And here is a simple multi-role authorization adapter.
A simple basic login function depending on user group would look like as given below
<?php
public function login() {
//if user already logged in call routing function...
if($this->Session->read('Auth.User')) {
$this->routing();
}
if ($this->request->is('post')) {
if ($this->Auth->login()) {
//if user status is active...
if ($this->Auth->user('status') == 1){
//redirect users based on his group id...
if($this->Auth->User('group_id')==1){
$this->redirect($this->Auth->redirect('/admins/dashboard'));
}
else if($this->Auth->User('group_id')==2){
$this->redirect($this->Auth->redirect('/teachers/dashboard'));
}
else if($this->Auth->User('group_id')==3){
$this->redirect($this->Auth->redirect('/students/dashboard'));
}
}
else{
$this->Session->delete('User');
$this->Session->destroy();
$this->Session->setFlash('Your account is not yet activated. Please activate your account to login.', 'warning');
}
}
else {
$this->Session->setFlash('Your username or password was incorrect.', 'error');
}
}
}
//just route the loggedin users to his proper channel...
public function routing() {
if($this->Session->read('Auth.User.Group.id') == 1) {
$this->redirect('/admins/dashboard');
}
else if($this->Session->read('Auth.User.Group.id') == 2) {
$this->redirect('/teachers/dashboard');
}
else if($this->Session->read('Auth.User.Group.id') == 3) {
$this->redirect('/students/dashboard');
}
else {
$this->Session->destroy();
$this->redirect('/');
}
}
?>
How do I get the CodeIgniter form validation to validate the $_SESSION if there is no passed form data? I tried manually setting the $_REQUEST variable, but it doesn't seem to work.
i.e. I have a function search in the controller which validates the form input passed, and either returns you to the previous page with errors, or else moves you onto the next page. But I want this function to also work if you previously filled out this page, and the info is stored in the $_SESSION variable.
function search () {
$this->load->library("form_validation");
$this->form_validation->set_rules("flightID", "Flight Time", "required|callback_validFlightID");
$this->form_validation->set_rules("time", "Flight Time", "required|callback_validFlightTime");
$this->setRequest(array("flightID", "time"));
// adding session check allows for inter-view navigation
if ($this->form_validation->run()) {
// some application logic here
$this->load->view("seats", $data);
} else {
$this->logger->log($_REQUEST, "request");
// redirect back to index
$this->index();
}
}
function setRequest () {
// make sure none of the parameters are set in the request
foreach ($vars as $k) {
if (isset($_REQUEST[$k])) {
return;
}
}
foreach ($vars as $k) {
if (isset($_SESSION[$k])) {
$_REQUEST[$k] = $_SESSION[$k];
}
}
}
You can store the form post info in a session using the following codeigniter functions
$formdata = array(
'flightID' => $this->input->post('flightID'),
'time' => $this->input->post('time')
);
$this->session->set_userdata($formdata);
and the information can be retrieved with the following
$this->session->userdata('flightID')
$this->session->userdata('time')
form_validation works directly with $_POST, so use that instead of $_REQUEST.
What you're trying to do is setting Post values manually which is not natively
supported by CodeIgniter. So what we're doing first is extending the core.
Create a new file (MY_Input.php) and paste the following contents into it:
class MY_Input extends CI_Input{
function set_post($key, $value)
{
$_POST[$key] = $value;
}
}
That's a very basic implementation of your purpose but it's enough to test around. You might want to extend it to make it fit your needs (f.e. allowing the input of arrays).
So now. In your controller you can check if something has been posted by a user. If not you'll be just setting the post variable manually with your new method of the Input class.
class Some_Controller extends CI_Controller{
public function index()
{
// The user hasn't filled out a field?
if(!$this->input->post('a_key'))
{
// Let's set the postfield to the value of a session key
$this->input->set_post('a_key', $this->session->userdata('mystoredkey'));
}
}
}
After having set your postfield manually, it can be handled by the form validation library as it is meant to be.
That should be your way to go :)
You can really do some pretty things if you're not afraid of hacking the core. Many people are, don't be one of them!
Happy coding
I'm developing a basic web app using the MVC architecture. I'm building my own to try and fully understand how the MVC arch works so this doubles as a learning exercise.
I am using the Aura Router classes to map my URLs to controllers and action so that something like mysite.com/login will be mapped to LoginController and if I submit a form to mysite.com/login/login it will map it to LoginController->doAction('login').
Example of a controller looks like this:
class LoginController implements iController {
public function doAction( PDO $dbh, $action ) {
switch( $action ) {
case 'login':
//login here
$user = new User();
$user_id = FALSE;
if( $user_id = $user->login( $_POST['email'], $_POST['password'] ) ) {
//save user id to session
}
else {
$results = array( 'errors' => array( 'invalid' ) );
MembershipFunc::redirect( '/login', $results );
}
break;
case 'logout':
//logout
break;
default:
break;
}
}
}
The problem I am facing is that to avoid people from refreshing the page and resubmitting the data I like to forward the user back to the login page if the login failed. Currently if I don't forward them then they would appear on the page mysite.com/login/login and I don't think it's particularly clean. It's okay for my simple login form because an error could redirect to mysite.com/login?error=email,password&email=user#domain.com but in the case of a huge form then I would get a huge URL query which is really gross.
I have scoured for good resources with basic (yet useful) PHP code examples on how MVC works and I've struggled to find anything particularly useful. Should I avoid mapping my URL structures to an action and instead opt for putting a POST field called "action" instead? Should I somehow build a system where I pass this data through an array in the SESSION data?
Any advice?
Note: I would just like to specify that I know this question doesn't fit in the SO culture because it might not have a right/wrong answer but I find SO always has the best/most knowledgeable user-base. If anyone has tips as to where I should direct these questions I would really appreciate it so I don't add clutter!
In my MVC URLs look like:
index.php?c=Controller&m=ControllerMethod&d=slash/sepparated/list/of/stuff
Data (d=) is exploded on the slashes and passed as an array to every controller method.
Autoloading (via spl_autoload_register()) is used to call the class (c=) and then the method in that class (m=).
Also, it sounds like you're either not setting the ACTION on your form or you're deliberately setting the ACTION to GET. As a general rule, ACTION should be POST to keep the URLs sane. Except search forms. Those can be GET with various advantages.
Re-directing to prevent a resubmitted form on refresh is your best option (probably only option). But in my MVC index.php?c=user&m=login handles both the login page and the login action.
Example
class login extends Controller {
public function login($data) {
if(empty($_POST)) {
$this->view = "login.tpl";
return TRUE;
}
$res = $this->model->auth();
if($res !== TRUE) {
$_POST = NULL;
$this->errorState = 1;
$this->errorMsg = "Invalid login details";
$this->login();
return FALSE;
}
Core::setMessage('success', 'user', 'login', '2', 'Logged in successfully');
$home = new home(); //whatever the main controller is
$home->index($data);
//alternatively you can redirect
header("Location: index.php?c=home&m=index);
return TRUE;
}
}
Does this make sense or have I completely missed the mark?