Security Interceptors

justin · August 5, 2010, 3:20am

I'm currently developing a CRUD application where users have an item
page where they can create, read, update and delete their own items
which are then stored in a database. Now, if a user accesses an item
that they created as follows:

http://127.0.0.1/index.cfm/user/editItem/id/344

How would I ensure only the user who owns that item can access that
url? Orginally I was looking at the security interceptor but there is
virtual no examples of using querystrings so I'm thinking that isn't
what the interceptor is for? What is the correct method for securing
urls in this situation?

Regards,
Justin

justin · August 6, 2010, 6:58pm

To be more clear:

Can I pass an the event object to userValidator? as I would need it to
compare against the rule...

Jason_Durham · August 6, 2010, 9:21pm

You could accomplish that security requirement in the SQL statement pulling the record(s). Just pass the item ID variable from the request collection into your service (and subsequently the DAO). Are you using 3.0?

Jason Durham

justin · August 7, 2010, 4:00am

Yes I am using v3. If I just pass the id to the service what would
stop the user from changing the URL to any ID they want. I could pass
the ID and the user ID

Security Interceptors

Latest Ortus News

GIVING BACK

HARVESTING IN SPANISH

WOODSEDGE