Security Url

shyamprasath · February 10, 2014, 7:25am

Hi All,

I think this is not new thing but yet to be discussed.

I have been trying to get the best way to change the display URL format of Yii application.

Simply to show the content, we need to pass the content id to the controller.

If the content is protected for specific set of users, it is uneasy to secure the content.

Users give the content id value randomly and get the view of the protected content.

Example:

Normal URL display is Content/View/45. But I wanna display the URL in a secured way that either it should be like "Content/View" where the content id is hidden but it should be passed some other way or "Content/View/(encrypted string)".

Please give some good suggestion or examples to do it.

I want my app should be highly secured as it is having payment based content display.

Thanks in advance for your support and help.

Pathfinder · February 10, 2014, 8:55am

you have to base your access system on top of rbac (and controller filters) or it’s analogs.

To rely on the fact that user does not know the url is not good enough. It is wrong approach.

seyyed · February 10, 2014, 9:06am

You can write your own AccessControl extends from ActionFilter and override beforeAction.

this is better for content security rather than customized URLs

shyamprasath · February 10, 2014, 9:30am

without using rbac any alternatives to do the same?

Pathfinder · February 10, 2014, 11:54am

@seyyed answered alteady

seyyed · February 10, 2014, 12:37pm

This is alternative to rbac.

in ActionFilter::beforeAction you have $action.

you can get request and user also:




$user = Yii::$app->getUser();

$request = Yii::$app->getRequest();

So you have everything you need.

write your own business logic then


return true;

or


throw new ForbiddenHttpException(Yii::t('yii', 'You are not allowed to perform this action.'));