These are chat archives for jbroadway/elefant

Apr 2014
Apr 04 2014 00:28

Imagine this situation:
Visitor build a custom user form, add "type" field and set its value to admin, it seems that he will become an administrator.

I used to think that we should add blacklist or whitelist to avoid this, but as you mentioned that, we have $verify property, and it has fields information already, maybe we can have some simpler ways.

For example, change the model.put() codes. Now it passes $verify to Validator, and returns the validate result array. If a field is not listed in $verify, it seems to pass the validate.

How about change this to :

  1. filter model->data, reamin fields we defined in $verify;
  2. validate

This will change a little: if we want to save a fileld, even it has no validate rule, we should define it in $verify too.

Apr 04 2014 00:50
Poor english :(
Apr 04 2014 11:17
@jbroadway thanks before, :-) actually I have done this by adding feature certain tag in postfeed :-)
Apr 04 2014 12:30
I create simple CRUD app via CRUD generator, but the admin page only can be accessed with user admin role, can we add manual permission so this CRUD app can be accessed with not full admin permission ?
Apr 04 2014 12:37
Sorry it's done by adding 'Default' permission :-)
Apr 04 2014 12:42
but it make Blog vulnerable because although there is no 'user' app in topbar' but not admin user can make admin user via edit blog then edit author -> choose -> add user
Johnny Broadway
Apr 04 2014 14:00
If you change $this->require_admin() to $this->require_login() then a regular site member could access that handler. Alternately, you can specify more restrictions by changing it to $this->require_acl (‘admin’, ‘user’) which now says they have to be an admin and be allowed to access the user resource (which represents the Users app).
But if you’re opening up the permissions on something like the blog add form, you may be better off duplicating it then limiting the features in your duplicate, such as the author selection.
The user dialog won’t work in a non-admin context anyway due to permissions. I just tested and it also results in a JS error due to not having access to the i18n methods defined here: