Security Issue - kind of "Hijacking"-Question

tangente · February 10, 2011, 7:42am

Hey Everybody,

I read about Security in YII -> http://www.yiiframework.com/doc/guide/1.1/en/topics.security but I still have an important Question.

Example: If I were a User and I’m logged in, I have a Page and can manage for example my Employees. I can create, delete, update and read them. So if I would delete an Employee from me, the link would be something like "http://www.domain.com/employee/delete/[color="#2E8B57"]23[/color].

In this Case the Request would pass my Controller an the “actionDelete()”-Method, then $model->delete(); and it’s done, the employee with ID 23 is deleted and removed from the database.

So, but now comes my important Question. If I would prepare myself a form in a local html-page, with action=“http://www.domain.com/employee/delete/[color="#FF0000"]35[/color]” and now (in case i’m already logged in to the page) I would submit my local form to this URL, it’s possible to delete the Employee with ID 35. In this case the Employee with ID 35 doesn’t belong to me and my dataset.

That’s a kind of security issue. My Question is now, do I have to check on every update/create/read/delete action in the Controller FIRST via DB-Selection (findBy…) if the current user is allowed to watch/delete/update/create with the parameter-ID?

Or does Yii take care of this with any rules, which I don’t know.

I need help. Thank you very much!

APXu_KPblc · February 10, 2011, 8:41am

If correctly understand you, you want to allow users to do some actions based on their identity?

If it is so, i suggest you to read Access Checking an combine it with Add information to Yii::app()->user by extending CWebUser.

Simply put, extend CWebUser, then in Controller do like


public function actionDelete($id)

{

	// Do something

	if(Yii::app()->user->checkAccess('delete',array('id'=>$id, 'ctrl'=>'employee')))

	{

	    // delete

	}

	else

	{

		// say that he can't do it

	}

}

And overwrite


checkAccess

in your custom CWebUser so that it’ll do actual checking for deleting record.

If any1 got better solution, i would be glat to get it =)

mdomba · February 10, 2011, 9:05am

The simplest solution if you want that a user can delete only his rows (rows that he created) would be to have a field in the table that holds the ID of the user that created that row… and then in the actionDelete you can check if the ID of the currently logged user is equal to the ID of the creator of the record that needs to be deleted…

alex-w · February 10, 2011, 9:12am

Have a look at this, http://www.yiiframework.com/doc/api/1.1/CHttpRequest#enableCsrfValidation-detail

APXu_KPblc · February 10, 2011, 9:48am

I thought of another solution, you can write your beforeDelete() in model so you can place some aditional checking there =)

samdark · February 10, 2011, 10:49am

Deleting a model should be done via POST, not GET.
CSRF protection will help.