In my data model, I've got a field that should be admin-editable only. Normal users can edit records in the model and view this specific field, but they should not be able to edit it. Is there a simple/clean approach to do this? I guess that it's necessary to create an extra admin_edit controller action, but what's the best way to "lock" a data field in the controller?
+1
A:
Depending on your setup, this could easily be handled as a validation method in the model. Write a custom function in the model to check if the user has permission.
You could also do it in model with beforeSave(). If the field is there and they don't have permission, remove it.
Codeacula
2010-10-01 13:21:29
+2
A:
It's not necessary to create a new controller action, but you may decide so. Note that you can still use the same view for it using $this->render("edit")
see: http://book.cakephp.org/view/428/render
I think you should:
- use the same controller action, if that's not confusing for the users and admins
- display an input field only if the user is admin, and output the text for other users
- check for authorization in the controller
Adam
2010-10-01 13:52:08
A:
you can simly check on the admin role in the edit view
if (hasRoleAdmin) {
echo $this->Form->input(...);
}
mark
2010-10-01 19:14:19
This would be simple to realize, but it's not secure. *If* an evil user would supply a modified-by-hand HTTP POST request which contains this field, he could edit it nevertheless.
joni
2010-10-04 08:53:53
i was talking about roles SAVED in the session. if they would be insecure by themselves, no website in the world would be secure. but i guess you mean the POST part itself. didnt catch that right away. of course you always need to make sure that users cannot "save" more data then they should. but that has to be done in the controller right before calling save(). details: http://www.dereuromark.de/2010/09/21/saving-model-data-and-security/
mark
2010-10-04 22:57:07
thanks, that blog post seems useful for me. (It feels strange to communicate in English with a native speaker of your own language)
joni
2010-10-05 10:56:10