Comments (2)
Right now I'm doing this in the _Header.tpl.php:
<script type="text/javascript">
var currUser = <?php $this->eprint( $this->currentUser->Id );?>;
</script>
and in my backbone model.js
/**
* Post Backbone Model
*/
model.PostModel = Backbone.Model.extend({
urlRoot: 'api/post',
idAttribute: 'id',
id: '',
authorId: '',
date: '',
content: '',
title: '',
excerpt: '',
commentCount: '',
defaults: {
'id': null,
'authorId': currUser,
'date': new Date(),
'content': '',
'title': '',
'excerpt': '',
'commentCount': ''
}
});
after I assigned the getCurrentUser to the Init() of the AppBaseController.php
It works, but it feels like cheating.
from phreeze.
So, you're not exactly cheating but when it comes to anything involving authentication (like who the current user is) there's a a good mantra that you have to keep in mind. That is - never trust the client! (ie never trust any information that comes from the browser). It's perfectly ok to assign the user fields to the client. But, as long as that data is never used to obtain or change stuff on the server.
The good thing is - the server already knows who the current user is because they are logged in. So you don't even have to pass the current user ID to the server. In fact, you never should. Here's some code for example:
// don't do this...
$post->AuthorId = RequestUtil::Get('authorId'); // <- anybody can manipulate this - bad!
// do this instead...
$post->AuthorId = $this->GetCurrentUser()->Id; // <- the user has no ability to manipulate this - good!
So, those kind of defaults should happen on the server side where the user can't manipulate it. Otherwise a malicious person could just observe how your application works and then mess with the calls and change the user id - thus emulating another user - which depending on what you are doing could be a security problem.
from phreeze.
Related Issues (20)
- Greetings HOT 1
- Error after building
- Its work wordpress 4.8+?
- Phreeze Builder Broken HOT 1
- master-detail / master-detail-detail examples
- builder/analyze gives 404 on Nginx
- Generated code in scripts/model.js displays all tables regardless
- index null HOT 1
- Controler filename / classname containing space character(s)
- Stuck loading tables with varbinary?
- Error Opening MySQL Database HOT 1
- analyze Not Found HOT 1
- after instalation HOT 2
- Undefined offset: 1 in DBTable.php at line 285 HOT 1
- Jason Hinkle 1970-2016 HOT 5
- Security issue : use hash_equals() instead of '===' to compare hashes
- Show on select many-to-one
- http://192.168.32.10/phreeze/builder/analyze HOT 1
- Foreign key issue
- Problem after builder page HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from phreeze.