Is public function safe to use in cakephp ? As i know public functions can be accessed through URL. I am new in cakephp.
Yes and no.
For standard Controller functions (aka Actions), it's standard practice to use public functions.
Does that make them "safe"? There is no way to answer that. Really depends on what you're trying to secure, and what other methods you're using to secure it.
There will never be a point where someone should answer the question "is it safe". But yes, as a rule, any function you want to access via a URL will be public. It's up to you to determine what additional security measures you want to implement. For instance, using the AuthComponent to determine if they're logged in, then comparing the User's "role" against valid roles that should have access to that method...etc.
Related
Is there a way to query what methods are offered by a given NEAR contract? (So that one could do autodiscovery of some standard interface, for instance.) Or do you have to just know the method signatures already before you can interact with a contract?
No not yet. Currently all contract methods have the same signature. () -> () No arguments and nothing is returned. Each method has a wrapper function that deserializes the input bytes from a host; calls the method; and serializes the return value and passes the bytes back to the host.
This is done with input and value_return. See input..
There are plans to include the actual signatures of the methods in the binary in a special section, which would solve this issue.
NEP-351 was recently approved, which provides a mechanism for contracts to expose all standards they implement. However, it is up to contract developers to follow this NEP. When integrated into the main SDK, I presume most will.
Alternatively, there is a proposal to create a global registry as a smart contract that provides this information.
Currently, there is not.
You will need to know what contract methods are available in order to interact with a smart contract deployed on NEAR. Hopefully, the ability to query available methods will be added in the near future.
I suppose you can just include a method in your own contracts that returns the other method signatures in some useful format: json or whatever
you would have to make sure that it stays current by maybe writing some unit tests that use this method to exercise all others
I suppose this interface (method and unit tests) can be standardized as an NEP in the short term until our interface becomes discoverable. any contracts that adhere to this NEP must include this "tested reflection method" or "documentation method" or whatever it would be called
I'm knocking together a demo app based upon Nancy.Demo.Authentication.Forms.
I'm implementing Claims and UserName in my UserIdentity:IUserIdentity class and, as per the demo, I've got a UserModel with UserName.
In the SecureModule class, I can see that the Context.CurrentUser can be used to see who it is that's logged on, but as per the interface, this only supplies the username and the claims. If I then need to get more data (say messages for the logged on user) for a view model, all I can see to use as a filter for a db query is the username, which feels, well, weird. I'd much rather be using the uniqueIdentifier of the user.
I think what I'm trying to get to the bottom of, if it is better to add the extra fields to my IUserIdentity implementation, or to the UserModel? And where to populate these?
Not sure my question is that clear (It's not clear in my head!), but some general basic architecture advice would go down a treat.
Sorry for the delayed reply.. bit hectic at the moment :)
The IUserIdentity is the minimum interface required to use Nancy's built in authentication helpers, you can implement that and add as much additional information as you like to your class; it's similar to the standard .net IPrincipal. If you do add your own info you'll obviously have to cast to your implementation type to access the additional fields. We could add a CurrentUser method to stop you having to do that, but it seems a little redundant.
You can stop reading here if you like, or you can read on if you're interested in how forms auth works..
FormsAuth uses an implementation of IUsernameMapper (which is probably named wrong now) to convert between the Guid user identifier that's stored in the client cookie and the actual user (the IUserIdentity). It's worth noting that this GUID needs to be mapped to the user/id somewhere, but it's not intended to be your database primary key, it is merely a layer of indirection between your (probably predictable) user id/names and the "token" stored on the client. Although the cookies are encrypted and HMACd (depending on your configuration), if someone does manage to crack open and reconstruct the auth cookie they would have to guess someone else's GUID in order to impersonate them, rather than changing a username (to "admin" or something smilar), or an id (to 1 for the first user).
Hope that makes sense :)
I have an admin controller that I would like to utilize functions in other controllers (these functions do not represent pages that someone would load in their browser), but it cannot utilize those functions because the functions in the other controllers are private. They are private because I don't want the public to access them. Is there a way to make a controller function not accesible to the public without making the function private or protected?
public function __blah(){
// function that can't be accessed from outside, but can be called from other functions
}
Based on what I've read in the comment of the answer Piotr gave you:
You don't use an admin controller. You want to use admin prefixes:
http://book.cakephp.org/view/950/Prefix-Routing
And authentication:
http://book.cakephp.org/view/1250/Authentication
If you call - and thats how your comment sounds like - one controller from another you're doing something totally wrong in an MVC framework. If it should be re-usable code it should go into components if it's about admin action use the prefix routing and admin_* methods, auth component and protected methods for what you call "helper" methods.
Yes.
You have a lot of information in the CakePHP Book about ACL (access control list) and that is exactly what you're looking for.
Or you may use Auth component.
I see three possible solutions (they can also be combined):
The first solution is to move the code you want to reuse to components (as mentioned by burzum).
The second solution depends on your code. It's possible that you do stuff in the controller which should be done in the model. In this case, move the respective code to the model.
The third solution is to put the code you want to reuse into plain old PHP classes and load them as vendor files.
I've asked a question here couple days ago, about how to avoid a function to be called from the browser. Some nice people pointed out that if put an underscore before de name of the function, it'll only accept calls from inside app. But, by doing that, I cannot call the function from an element (by using requestAction). Is there another way to do it? Thanks!
You can't call a private or protected method from outside it's class; (that's the whole point of private and protected methods!)
Your only option, unless I'm mistaken, is to make the method public, or call it from within another method, perhaps with an ambiguous method name if you are worried about a user accidentally calling it.
You can also check to see if the request was made via requestAction using:
if (!empty($this->params['requested'])) {
//requestAction was used, requested is set to 1
}
So you could use this in a public method, and do the appropriate action depending on whether it was requested or not.
I have a User object that, upon successful authentication, is tucked into the session (sans security info) for easy recall and for determining whether we have an authenticated user or anonymous session. There are several paths by which the user can alter some or all of his or her information and I'd like to keep that session value up to date. The obvious answer is to update the value in the afterSave() callback, but that, of course, violates MVC.
Is there another way of capturing every change in one place so that I don't have to drop session writes all over the place? I can't think of anything, nor have I been able to find any other ideas. Am I the only person trying to do something like this?
Thanks.
Final Solution: I marked neilcrookes' response as the answer, frankly, because there doesn't seem to be the better way. Since this way violates my OCD senses, though, I took a slightly different path. I decided to have my User::authenticate() method return the authenticated user object to the caller so it can do whatever it wants with it. One of the things that the callers "want" to do is to drop that value in the session. It's redundancy, but it's very, very limited. In my mind, that felt better than accessing the session from the model (though it's certainly a damned if you do, damned if you don't scenario).
//in users controller
if ($this->User->save()) {
$this->Auth->login($this->User->read());
$this->Session->setFlash[.. etc]
And for the record, I do not agree with the answer of neilcrooks, but I will refrain from feeding the troll.
Some might disagree but I'd screw MVC, do it in Model::afterSave() and use $_SESSION - test for the session before writing to it, in case it's not started for example you are saving against the model in a shell or something.
MVC is a general pattern - a guideline, you can bang your head against it trying to figure out how to achieve something that doesn't quite fit, or just do it another way and move onto to something more important.
Bring on the flames.
after save
Use Like this
$this->Session->write('Auth.User.mmid', $kinde['Kindle']['id']);
You should be able to just use AppController to create the necessary callback(s) that keep your session data up to date. So, for instance, you could have your User model afterSave() set a property called changed to true. Then in your AppController->afterFilter() you check that property and update the session data as necessary.
Alternatively, you could write a component through which to update your user info and also your session data. Then any controller that needs to change user info just needs to include that component.
There's no need to write redundant code or break MVC.