Databases
StackOverflow2013
Postsdbo
POZend Framework: DB / Models: Securing Other Users Rows - Overriding Concrete Methods
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POZend Framework: DB / Models: Securing Other Users Rows - Overriding Concrete Methods
    primarykey
    data
    text
    <p>I am trying to research the best way to secure users data. Example: An application has a table 'widgets', each user can have as many 'widgets' as required. The application identifies the 'widgets' by the 'userId' column, which referenced the ID of the logged in user.</p> <p>Currently the best way I have been able to secure the widget data from being accessed if by overriding the fetchAll() method with my own in my models, and add in WHERE userId = X before passing the params to parent::fetchAll() like so:</p> <pre><code>class Model_Widgets extends Zend_Db_Table_Abstract { protected $_name = 'widgets'; /** * Abstracted function to ensure data security * Adds in a WHERE to the SELECT to check if this user is the datas owner * * @see Zend_Db_Table_Abstract::fetchAll() */ public function fetchAll($where = null, $order = null, $count = null, $offset = null) { // Handle the additional security check $userId = 'userId = ' . Model_Users::getUser()-&gt;id; // Merge the WHERE userId statement with the rest if($where) { if(is_array($where)) $where[] = $userId; else $where = array($where, $userId); } else $where = $userId; return parent::fetchAll($where, $order, $count, $offset); } </code></pre> <p>This method works fine, but I cant help to think that there must be a better way, I have recently discovered $_rowClass but am still not sure I understand the concept. If overriding concrete functions is the only way to apply these security checks, is there a way to override them once rather than in each model perhaps via a helper, and then simply add a function like the following to each model that needs to check the user against the row:</p> <pre><code>public function fetchAll(...) { return SecurityCheckHelper::fetchAll(...); </code></pre> <p>I hope this makes sense, in reality all I am trying to do is make sure users cant access other users data by playing about with ID's in the URL etc. Thanks guys</p>
    singulars
    1. PO
      singulars
      1. PTAnswer
    1. This table or related slice is empty.
    1. PTQuestion
    1. This table or related slice is empty.
    1. USJucks
    plurals
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. PO
      singulars
      1. PTAnswer
    1. VO
      singulars
      1. POZend Framework: DB / Models: Securing Other Users Rows - Overriding Concrete Methods
      1. This table or related slice is empty.
      1. VTUpMod
    2. VO
      singulars
      1. POZend Framework: DB / Models: Securing Other Users Rows - Overriding Concrete Methods
      1. This table or related slice is empty.
      1. VTUpMod
    1. This table or related slice is empty.
 

Querying!

 
Guidance
A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload