Friday, September 15, 2006

Security Component

Some tricks for extra security in cake.

If you call http://example.com/users/render/delete (you’ve an UsersController) you will get rendered the delete.thtml view.
Try it at home with any controller.
The render() method from Controller gets called. I’m not sure if something dangerous can be done, but some other functions can be called like redirect. For forbidding all the methods from Controller base class, use this component.

<?php
/**
 * MySecurity.php
 * Some security things for Cake
 *
 * Features:
 * - The public functions from controller & object now can’t be called from url
 * -
 *
 * @author RosSoft
 * @version 0.1
 * @license MIT
 *
 * @package components
 */

class MySecurityComponent extends Object
{
    var $components=array(’Security’);

    /**
     * Extra forbidden actions
     *
     * @var array $forbidden_actions
     */
    var $forbidden_actions=array();

    function startup(&$controller)
    {
        $this->forbidden_actions=am($this->forbidden_actions, get_class_methods(’Controller’));

        $this->Security->startup($controller);
        if (in_array($controller->action,$this->forbidden_actions))
        {
            $this->Security->blackHoleCallback=null;
            $this->Security->blackHole($this);
        }
    }
}
?>

 

Original at RosSoft.

0 Comments:

Post a Comment

Subscribe to Post Comments [Atom]

<< Home