[TYPO3-mvc] How To implement restrictions on "per Property" basis
Franz Koch
typo.removeformessage at fx-graefix.de
Mon Nov 9 15:44:06 CET 2009
Hi Sebastian,
>> What would would be "best practice" for that? I already thought about an
>> "ACL viewhelper" wrapping each field in the templates, which "deletes"
>> unallowed fields.
>>
>> This seems not quite handy to me... Any ideas?
> Really? I think this is not bad actually... As you _only_ need to modify
> your template, and nothing else.
> In case your ACL ViewHelper (or however you call it) decides to render
> its children, the corresponding form element will be added to the HMAC
> generation, but in case it decides not to show it, the field will not be
> added to the HMAC. Thus, you won't need any additional checks on the
> server side.
> I'd think this is rather elegant...
I'm not familiar with extbase yet, I only read the documentation of
FLOW3 so far and that raised a question here.
How do you ensure that only those values get stored that the user is
actually allowed to fill? Well yes, the form only provides certain
fields according to the users rights then, but that doesn't prevent
hackers to send additional field values. So how do those get filtered
out before they get stored, if storing is working simmilar to FLOW3
(object based)? Or is this traditional handmade code to interact with
the DB and validate fields? I'm planning a extbase based extension in
the next weeks where I need similar functionality.
--
kind regards,
Franz Koch
---------------------------------------------------
PayPal-Account: 'paypal _at_ elements-net _dot_ de'
---------------------------------------------------
More information about the TYPO3-project-typo3v4mvc
mailing list