[TYPO3-mvc] extbase: How to prevent manipulations of forms?
Alexander Wende
alexander.wende at mail.com
Mon Nov 29 20:26:47 CET 2010
Hi,
I'm new in extbase. I read some tutorials and I think that I understand them mostly.
I developed a simple extension for exercise.
My extension has only one model called bookmark.
The bookmarks haves an n:m relation to the extbase fe_users model.
Everything works fine. The Extbase kickstarter created all forms I need.
I noticed, that if I changed the "identity" hidden field in the edit form, the framework doesn't noticed it. So it would be possible to edit an bookmark which belong to an other user.
So I have to check in the update action if the actual fe_user is allowed to perform the action.
For that reason I created an new method "isAccessibleByUser" in the model.
This method should check if the fe_user is allowed to access the bookmark.
But know I have an problem: If I try to access the fe_users property of the bookmodel it's empty. Why that? It's a storageObject. All others proberties like uid, title, url etc. are filled...
My solution for that problem: I created a new instance of the bookmark repository within the bookmark model an search the bookmark object by uid. But is that the right way? I'm nearly sure that it isn't.
?
The next question is if there is a build option to prevent the manipulation of forms?
?
Thanks for your assistance
Alex
?
More information about the TYPO3-project-typo3v4mvc
mailing list