These are chat archives for jbroadway/elefant
Imagine this situation:
Visitor build a custom user form, add "type" field and set its value to admin, it seems that he will become an administrator.
I used to think that we should add blacklist or whitelist to avoid this, but as you mentioned that, we have $verify property, and it has fields information already, maybe we can have some simpler ways.
For example, change the model.put() codes. Now it passes $verify to Validator, and returns the validate result array. If a field is not listed in $verify, it seems to pass the validate.
How about change this to :
This will change a little: if we want to save a fileld, even it has no validate rule, we should define it in $verify too.
$this->require_login()then a regular site member could access that handler. Alternately, you can specify more restrictions by changing it to
$this->require_acl (‘admin’, ‘user’)which now says they have to be an admin and be allowed to access the
userresource (which represents the Users app).