Wrox Programmer Forums
| Search | Today's Posts | Mark Forums Read
BOOK: Professional PHP Design Patterns
This is the forum to discuss the Wrox book Professional PHP Design Patterns by Aaron Saray ISBN: 978-0-470-49670-1
Welcome to the p2p.wrox.com Forums.

You are currently viewing the BOOK: Professional PHP Design Patterns section of the Wrox Programmer to Programmer discussions. This is a community of software programmers and website developers including Wrox book authors and readers. New member registration was closed in 2019. New posts were shut off and the site was archived into this static format as of October 1, 2020. If you require technical support for a Wrox book please contact http://hub.wiley.com
 
Old July 15th, 2013, 09:00 AM
Registered User
Points: 5, Level: 1
Points: 5, Level: 1 Points: 5, Level: 1 Points: 5, Level: 1
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
 
Join Date: Jul 2013
Posts: 1
Thanks: 0
Thanked 0 Times in 0 Posts
Default Security Authorization

Firstly, I would like to say that I have really enjoyed reading the Professional PHP Design Patterns book.

One question though, I noticed that even though a user is logged out, editing user and contact entries is still possible.

How to workaround this issue in real-life scenarios and what in your opinion is the best to implement per-page authorization checking?

Thanks!


Nicholas
 
Old July 15th, 2013, 01:37 PM
Wrox Author
Points: 118, Level: 2
Points: 118, Level: 2 Points: 118, Level: 2 Points: 118, Level: 2
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
 
Join Date: Sep 2009
Location: Milwaukee, WI
Posts: 15
Thanks: 0
Thanked 4 Times in 4 Posts
Default

Hi and thanks for your message.

Generally, when creating a more indepth product, I do the following approaches:

a) add an ACL with various permissions like read/create/update/delete on each object. Optionally an additional method will be attached to validate if the user can edit this object based on identifiers in the object.

b) check that ACL in a service class - and only service classes can modify, find, create or delete models (objects that were previously applied with ACL above).

c) and per page, I write a front controller method usually that reads in the action and validates that against the current user.

This makes it security in depth. First, we restrict access to the page. If that's forgotten or hacked around, there is an additional security check on the service/model level.
__________________
-aaron
--
aaronsaray.com || <-- yeah... try it.




Similar Threads
Thread Thread Starter Forum Replies Last Post
Chapter 7 - Membership, Authorization, and Security. Kaiser BOOK: Professional ASP.NET MVC 4 0 December 28th, 2012 12:34 PM
Chapter 16 Security Authorization Question vbboyd BOOK: Beginning ASP.NET 4 : in C# and VB 13 March 1st, 2012 07:50 PM
Code Access Security & Role Based Security robzyc C# 6 April 11th, 2008 02:31 AM
Regarding authorization harshaghanta ASP.NET 2.0 Professional 1 June 5th, 2006 09:18 PM
Security Problem(URL Authorization) A.Doroudian ASP.NET 1.0 and 1.1 Basics 0 May 31st, 2006 06:17 AM





Powered by vBulletin®
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.
Copyright (c) 2020 John Wiley & Sons, Inc.