Wrox Programmer Forums

Need to download code?

View our list of code downloads.

Go Back   Wrox Programmer Forums > PHP/MySQL > BOOK: Professional PHP Design Patterns
Password Reminder
Register
Register | FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read
BOOK: Professional PHP Design Patterns
This is the forum to discuss the Wrox book Professional PHP Design Patterns by Aaron Saray ISBN: 978-0-470-49670-1
Welcome to the p2p.wrox.com Forums.

You are currently viewing the BOOK: Professional PHP Design Patterns section of the Wrox Programmer to Programmer discussions. This is a community of tens of thousands of software programmers and website developers including Wrox book authors and readers. As a guest, you can read any forum posting. By joining today you can post your own programming questions, respond to other developersí questions, and eliminate the ads that are displayed to guests. Registration is fast, simple and absolutely free .
DRM-free e-books 300x50
Reply
 
Thread Tools Display Modes
  #1 (permalink)  
Old July 15th, 2013, 09:00 AM
Registered User
Points: 5, Level: 1
Points: 5, Level: 1 Points: 5, Level: 1 Points: 5, Level: 1
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
 
Join Date: Jul 2013
Posts: 1
Thanks: 0
Thanked 0 Times in 0 Posts
Default Security Authorization

Firstly, I would like to say that I have really enjoyed reading the Professional PHP Design Patterns book.

One question though, I noticed that even though a user is logged out, editing user and contact entries is still possible.

How to workaround this issue in real-life scenarios and what in your opinion is the best to implement per-page authorization checking?

Thanks!


Nicholas
Reply With Quote
  #2 (permalink)  
Old July 15th, 2013, 01:37 PM
Wrox Author
Points: 118, Level: 2
Points: 118, Level: 2 Points: 118, Level: 2 Points: 118, Level: 2
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
 
Join Date: Sep 2009
Location: Milwaukee, WI
Posts: 15
Thanks: 0
Thanked 4 Times in 4 Posts
Default

Hi and thanks for your message.

Generally, when creating a more indepth product, I do the following approaches:

a) add an ACL with various permissions like read/create/update/delete on each object. Optionally an additional method will be attached to validate if the user can edit this object based on identifiers in the object.

b) check that ACL in a service class - and only service classes can modify, find, create or delete models (objects that were previously applied with ACL above).

c) and per page, I write a front controller method usually that reads in the action and validates that against the current user.

This makes it security in depth. First, we restrict access to the page. If that's forgotten or hacked around, there is an additional security check on the service/model level.
__________________
-aaron
--
aaronsaray.com || <-- yeah... try it.
Reply With Quote
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Chapter 7 - Membership, Authorization, and Security. Kaiser BOOK: Professional ASP.NET MVC 4 0 December 28th, 2012 11:34 AM
Chapter 16 Security Authorization Question vbboyd BOOK: Beginning ASP.NET 4 : in C# and VB 13 March 1st, 2012 06:50 PM
Code Access Security & Role Based Security robzyc C# 6 April 11th, 2008 02:31 AM
Regarding authorization harshaghanta ASP.NET 2.0 Professional 1 June 5th, 2006 09:18 PM
Security Problem(URL Authorization) A.Doroudian ASP.NET 1.0 and 1.1 Basics 0 May 31st, 2006 06:17 AM



All times are GMT -4. The time now is 07:45 AM.


Powered by vBulletin®
Copyright ©2000 - 2017, Jelsoft Enterprises Ltd.
© 2013 John Wiley & Sons, Inc.