How to protect data

SystemicPlural · September 18, 2010, 7:36am

I asked an unanswered question the other day. It made me think that perhaps I am asking the wrong question, so I’ll try a different tack.

What is the standard practice in Yii to protect from users manipulating data that they shouldn’t. E.G. If there is a page where members can edit their profile, then the view for accomplishing this needs to know on post back which data to edit, and also it needs to know not to allow that post back to edit another persons profile.

I can think of several solutions to this problem.

Always check that the authenticated user is the owner of the table row that that is being manipulated.
Encrypt any primary keys that are needed for the update, so that they can’t be edited.
Update everything using table joins to the user table so that primary keys do not need to round trip to the user.

Which of these is considered best practice. Is there something else I am missing?

Thanks for any help

lgoss007 · September 18, 2010, 1:59pm

(1) is the standard practice (or most used). And from your post here:

confused about security and model rules

Yes it’s fine (and expected) to put the validation rules in the business model (active record).

SystemicPlural · September 19, 2010, 4:30pm

Thanks, much appreciated.

zaccaria · September 20, 2010, 1:28pm

You can help yourself with a behaviour.

The module for user can use a special model that has a behaviour, which check in the onAfterSave if the module belongs or not to the user.

This deny to any user to see or edit a data of another user, avoiding the ‘blind error’ of forgetting to check in a controller.