[Catalyst] Re: action_for with user_id removed ...
Aristotle Pagaltzis
pagaltzis at gmx.de
Fri Feb 5 10:33:40 GMT 2010
* Kiffin Gish <kiffin.gish at planet.nl> [2010-02-01 17:20]:
> I have a number of user-defined actions which are described
> with the user id like this:
>
> settings/user_id/(view|edit)
>
> Where user_id is the primary key into the users resultset.
> However, I do not want this to be visible to the end-user for
> security reasons (if I'm admin it's alright).
>
> Is it possible to retain these, but for users who are logged in
> the /user_id/ is removed to get this visible instead:
>
> settings/(view|edit)
I find this highly suspect. It sounds like your authorisation
checks are inadequate somewhere, and you are trying to paper over
that instead of fixing it.
From an HTTP point of view it is unwise to make endpoint URIs
like that which can refer to many different resources at any one
point in time.
Regards,
--
Aristotle Pagaltzis // <http://plasmasturm.org/>
More information about the Catalyst
mailing list