Protect controller actions from outside requests

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Protect controller actions from outside requests

Bret Kuhns

I would like to protect a controller action from being directly
accessed directly by its URL. And no, I'm not talking about a user
authentication system. I have two controllers: Payments and Orders.
Payments is used first to save credit card information from the user,
then it redirects to the Orders controller so that it can save the
user's actual order information. If, for any reason, the Orders
controller cannot save the order to the database, it needs to tell the
Payments controller to remove the associated payment from the database
(think of it as a transactional insert). In my Orders controller, I
just do:

$this->requestAction("/payments/remove/$id");

Which works just fine. But after everything was working, I realized a
user could just go to "/payments/remove/[random number]" and would be
able to delete any random payments recorded in the database.

Does anyone have an idea how I could secure /payments/remove/ so that
it can only be accessed from a requestAction() call? Thanks in advance
for any help!


--~--~---------~--~----~------------~-------~--~----~
 You received this message because you are subscribed to the Google Groups "Cake PHP" group.
To post to this group, send email to [hidden email]
To unsubscribe from this group, send email to [hidden email]
For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
-~----------~----~----~----~------~----~------~--~---

Reply | Threaded
Open this post in threaded view
|

Re: Protect controller actions from outside requests

Larry E. Masters
Already covered this in the group before...

if($this->params['requested'] === true){
//do your thing here
}

--
/**
* @author Larry E. Masters
* @var string $userName
* @param string $realName
* @returns string aka PhpNut
* @access  public
*/
--~--~---------~--~----~------------~-------~--~----~
 You received this message because you are subscribed to the Google Groups "Cake PHP" group.
To post to this group, send email to [hidden email]
To unsubscribe from this group, send email to [hidden email]
For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
-~----------~----~----~----~------~----~------~--~---

Reply | Threaded
Open this post in threaded view
|

Re: Protect controller actions from outside requests

Bret Kuhns

@PhpNut

Thanks for the quick reply. I tried several queries in the group and on
google looking for what I needed and couldn't find a relevant solution
(almost all results were about user authentication, othAuth,
rdSimpleAuth...). I suppose it helps if you know exactly what to search
for, but I came up with nothing. But thanks for the help :)


--~--~---------~--~----~------------~-------~--~----~
 You received this message because you are subscribed to the Google Groups "Cake PHP" group.
To post to this group, send email to [hidden email]
To unsubscribe from this group, send email to [hidden email]
For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
-~----------~----~----~----~------~----~------~--~---

Reply | Threaded
Open this post in threaded view
|

Re: Protect controller actions from outside requests

Bret Kuhns

@PhpNut

The code snippet you gave me didn't work for me. I searched around and
found this change ticket: https://trac.cakephp.org/changeset/3783/ .
>From the looks of the code, the 'requested' key is set to 1, not a
boolean. I changed my condition operator to == so that PHP would
attempt to cast the integer to a boolean, and that seemed to work.
Except if the action *wasn't* requested, the 'requested' key was not
set and I got PHP notices telling me I had an undefined index. I
changed the condition again to isset($this->params['requested']) and
that seems to have fixed my problems.


--~--~---------~--~----~------------~-------~--~----~
 You received this message because you are subscribed to the Google Groups "Cake PHP" group.
To post to this group, send email to [hidden email]
To unsubscribe from this group, send email to [hidden email]
For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
-~----------~----~----~----~------~----~------~--~---