Re: Security and takeValuesFromRequest()
Re: Security and takeValuesFromRequest()
- Subject: Re: Security and takeValuesFromRequest()
- From: Jean-François Veillette <email@hidden>
- Date: Tue, 19 Apr 2005 09:00:07 -0400
Note that, as other have pointed out, forging a custom http request
might not be a problem.
It depend on how you build the component, if form elements exist and
are just 'disabled' in javascript, then yes, this is not enough.
But if you are concerned with securing your 'business layer', then your
security should be implemented there.
Keep minimal support at the interface layer (WOComponents) as well, but
surcharging the interface layer with complete business validation is a
bit way too much business logic for that layer of responsability. Do
not take me wrong, the interface should support whatever is needed for
the user to have a nice user experience. But having all the validation
in there is a bit too much.
I'm experiencing a similar situation, where business actions are in a
context (a user performing actions, etc.), and some actions are not
allowed depending on user's permissions. By explaining this
situation, I realized that my business logic actions were performed in
a 'context', so it make sense to have a 'context' concept at that
layer.
To implement security at the interface layer is relatively easy since
every component have access to the 'context', represented by the
session object, and so can get to the current user.
To implement security at the business layer is a bit more tricky, since
(generaly speaking), the business model objects do not have a direct
relationship to the current users, and so can't have access to the
permissions allowed.
After the usual validations made at the interface layer, I'm currently
trying something for a first time now and is working quite well so far.
I've subclassed EOEditingContext, in the subclass I've added a
dictionary that hold any context relative information. So in there I
can put the current user performing the actions (business equivalent to
a session.user ivar). This way, I can use NSValidation mechanism at
the business layer since every eo can validate authorisations based on
the 'current user' (editingContext.contextDict.user).
- jfv
Le 05-04-18, à 17:36, Nathan Hampton a écrit :
I have a situation where some users need to be able to change values
for only a sub-set of the keys in an EO, while others may change all
values. I did the usual thing -- putting the fields that require
higher privileges in a WOConditional -- but then realized that an HTTP
request could be created that would include values that the user
wasn't authorized to change. As a result, takeValuesFromRequest()
would make the changes, even though that user wasn't allowed to do so.
First of all, is this actually possible? If it is, how do I plug the
hole? (If it isn't, it's yet another way WO is just that cool.) My
immediate idea was to override takeValuesFromRequest() and use KVC to
ensure that the only changes in the request are changes the user is
allowed to make. Is there a better way to do this?
--NCH
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
email@hidden
This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden