wiki:iPeerSecurity

iPeer Security

Overview

The stats for the logged in user are kept inside the rdAuth object. This object is stored into the session on login with rdAuth->setFromData(), and loaded on by the parent class AppController? with $this->rdAuth->loadFromSession() in checkAccess().

app_controller→checkAccess()

The method will check the requested controller name against the database (specifically, the contents of sysContainer->getActionList())), and if any entry with this controller is found, it keep processing the page. Otherwise, it redirects the client to loginlout/login. Specifically which method will the client requests to be invoked, is, apparently, no concidered.

//check permission
if (!$this->rdAuth->check($this->params['controller'], $this->sysContainer->getActionList())) {
   $this->Session->write('URL', $URL);
   $this->Session->write('AccessErr', 'NO_PERMISSION');
   $redirect = 'loginout/login';
   $this->redirect($redirect);
   exit;
}

Users_controller, evaluations_controller, and some others

Each potentially sensitive method in users_controller checks the user role against 'S' (or Student). If a Student should not be able to access this function, they are re-directed away from the page. If any other user type is logged on, the requested action will proceed.

if ($this->rdAuth->role == 'S') {
    $this->redirect('home/index');
    exit();
}
Last modified 7 years ago Last modified on 2010-06-16T15:38:07-07:00