[Catalyst] Re: action_for with user_id removed ...
Kiffin Gish
kiffin.gish at planet.nl
Sat Feb 6 10:25:51 GMT 2010
On Fri, 2010-02-05 at 11:33 +0100, Aristotle Pagaltzis wrote:
> * Kiffin Gish <kiffin.gish at planet.nl> [2010-02-01 17:20]:
> > I have a number of user-defined actions which are described
> > with the user id like this:
> >
> > settings/user_id/(view|edit)
> >
> > Where user_id is the primary key into the users resultset.
> > However, I do not want this to be visible to the end-user for
> > security reasons (if I'm admin it's alright).
> >
> > Is it possible to retain these, but for users who are logged in
> > the /user_id/ is removed to get this visible instead:
> >
> > settings/(view|edit)
>
> I find this highly suspect. It sounds like your authorisation
> checks are inadequate somewhere, and you are trying to paper over
> that instead of fixing it.
>
> From an HTTP point of view it is unwise to make endpoint URIs
> like that which can refer to many different resources at any one
> point in time.
>
> Regards,
I'm not so sure that I agree, though I can appreciate your point of
view.
All I'm doing in fact is using the $user->id saved in the session, there
being nothing papered over for authorization which is accomplished via
the usual login mechanism.
--
Kiffin Gish <Kiffin.Gish at planet.nl>
Gouda, The Netherlands
More information about the Catalyst
mailing list