Backbone Model default logged in user about phreeze HOT 2 OPEN

Right now I'm doing this in the _Header.tpl.php:

<script type="text/javascript">
    var currUser = <?php $this->eprint( $this->currentUser->Id );?>;
</script>

and in my backbone model.js

/**
 * Post Backbone Model
 */
model.PostModel = Backbone.Model.extend({
    urlRoot: 'api/post',
    idAttribute: 'id',
    id: '',
    authorId: '',
    date: '',
    content: '',
    title: '',
    excerpt: '',
    commentCount: '',
    defaults: {
        'id': null,
        'authorId': currUser,
        'date': new Date(),
        'content': '',
        'title': '',
        'excerpt': '',
        'commentCount': ''
    }
});

after I assigned the getCurrentUser to the Init() of the AppBaseController.php

It works, but it feels like cheating.

from phreeze.

So, you're not exactly cheating but when it comes to anything involving authentication (like who the current user is) there's a a good mantra that you have to keep in mind. That is - never trust the client! (ie never trust any information that comes from the browser). It's perfectly ok to assign the user fields to the client. But, as long as that data is never used to obtain or change stuff on the server.

The good thing is - the server already knows who the current user is because they are logged in. So you don't even have to pass the current user ID to the server. In fact, you never should. Here's some code for example:

// don't do this...
$post->AuthorId = RequestUtil::Get('authorId'); // <- anybody can manipulate this - bad!

// do this instead...
$post->AuthorId = $this->GetCurrentUser()->Id;  // <- the user has no ability to manipulate this - good!

So, those kind of defaults should happen on the server side where the user can't manipulate it. Otherwise a malicious person could just observe how your application works and then mess with the calls and change the user id - thus emulating another user - which depending on what you are doing could be a security problem.

from phreeze.