I am using Symfony 1.4, sfDoctrineGuardPlugin.
On my backend app, users can reach a page which they cannot actually by changing url manually. Is there any way to stop it?
Lets say, every author can just reach their own data normally. But if they change id on url they can edit which article they want. I searched on the internet but cannot find any solution for it? Do you know a way?
Thanks a lot.
By just hiding things that doesn't belong to a particular author you can't protect them from being edited or deleted.
Overload executeEdit/executeUpdate/executeDelete actions in your backend modules to avoid unauthorized management.
Something like:
public function executeEdit(sfWebRequest $request) {
...
$this->forward404Unless($this->article->belongsTo($me));
...
}
In addition, you can check for proper credentials. It's useful when you want to some user groups to access some special content, or content of another users.
Hope that helps.