[TYPO3-mvc] Secure parameter transfer
Matthew Colton
mat.colton at web-xs.de
Sat Feb 4 10:37:14 CET 2017
It's always a bad idea to let user sent form data decide over rights, no
matter if extbase or not.
Why should a user be able to register himself as an admin? In which case
is that required?
Cheers
Matthew
Am 03.02.2017 um 23:17 schrieb Wowbagger:
> Hi!
>
> I have a security question about my extbase extension.
>
> Let's say I have a form with which users can register. This is the
> showAction:
>
> public function showAction($formData = NULL) {
> $this->view->assign('role','user');
> $this->view->assign('formData', $formData);
> }
>
> In fluid the form looks like this:
> <f:form action="create" object="{formData}" name="formData"
> arguments="{role:role}">
>
> The user completes the form and submit it to the createAction
>
> /**
> * @param array $formData
> * @param string $role
> */
> public function createAction($formData, $role) {
> ..
>
> Is this secure? Or is it possible, that the user changes the role
> parameter, so that he gets „admin" instead of „user"?
> If yes, how can I do a secure implementation of this?
>
>
>
>
> _______________________________________________
> TYPO3-project-typo3v4mvc mailing list
> TYPO3-project-typo3v4mvc at lists.typo3.org
> http://lists.typo3.org/cgi-bin/mailman/listinfo/typo3-project-typo3v4mvc
More information about the TYPO3-project-typo3v4mvc
mailing list