stackoom
  简体   繁体   中英

cakePHP security: can others view/tamper variables i set for my views?

 原文  2014-07-27 13:21:11       php/ security/ cakephp/ authentication/ authorization

Question

I have a cakePHP application with user authentication by means of 'Auth' component.
In order to customize views based on user role, I added below lines to my code: 

 public function beforeFilter() {
    ....
    $this->set('loggedIn', $this->Auth->user('id'));
    $this->set('role',$this->Auth->user('role'));
    ....
}

So inside my .ctp view files i will check user role (admin,user,moderator,...) and then change the view using if/elses to be fit with user role.
I want to know are end-users of application can tamper '$role' such that they can change behaivour of application or all of aspects of application will be handled on server side and this type of View customization is safe enough?

2 answers

solution1
 2 ACCPTED  2014-07-27 14:33:07

The short answer is: No it should not be possible. But it really depends on how secure your application is written. CakePHP by default is a pretty solid and secure framework, there has been only one or two serios issues in the last ~5 years as far as I remember.

First you should use the security component to avoid form tampering. For example I could go to my profile, add a hidden field "role" and set it's value to "admin" and submit. My role will be updated in the DB and I'm an admin.

Another possibility could be file uploads that aren't properly checked. Many people like to forget calling is_uploaded_file(). Most stupid example: I upload a php file, it ends up in app/webroot/uploads/hack.php and I can execute it by calling foo.com/uploads/hack.php and then do whatever I want in the worst case, for example modifying files of your application. Even if your app is properly set up and the application files are read only, I could still read the app/Config/database.php and then do whatever I want with the credentials. So make sure your file system permissions are correctly configured. Only app/tmp should be writeable.

From where ever input comes from, POST, GET, a csv file, human generated or machine generate, when you process it you always want to validate it and make sure that the incoming data is sanitized and validated. Trust nobody is a pretty basic security rule.

solution2
 1  2014-07-27 13:43:05

The only way they can tamper with those settings is if they are able to access the files directly. They would need direct access to editing your files by accessing your server and the files on it.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Variable variables CakePHP and 'set' in View CakePHP - Render different view and set variables How can I pass variables to my views in php How do I use PHP variables as values for the <script> tag when rendering jQuery code in my CakePHP view? How can I save staff_name column as others in CakePHP? Finding unused variables in CakePHP views How can I set a keyword in URL & want to read that in Cakephp controller & then set it for view Cakephp set function not passing variables from controller to the view Can't see view in my CakePHP setup CakePHP View including other views
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM