[Date Prev][Date Next][Thread Prev][Thread Next][Minivend by date
][Minivend by thread
]
Re: [ic] Controlling access to tables
Quoting Marcus Weseloh (marcus@slightlydifferent.co.uk):
> > I have a table containing personal client information and want each
> > client to be able to access just his own data. While that is not a
> > problem, I fear that security is not very high as other users could guess
> > the table name and (if they know minivend/interchange) display all the
> > data in that table using commands in a URL.
>
> Sorry, forget that. I just didn't think straight. I thought a one-click scan
> of a table would just return the data, but of course it uses a result page
> into which I can put conditionals. Next time I will think before posting to
> the list.
>
Actually, you are right to worry. Consider:
[page scan
st=db
fi=userdb
ra=yes
rf=credit_card_number] Show CC [/page]
(Of course that is completely bogus, but you get the idea.)
You could get the data back in the [item-code], since rf allows
you to set the field returned as code.
In Interchange, though, you can set:
NoSearch userdb your_private_table
(Default is userdb.)
At that point, you can't search those tables by URL. You can
override the setting for a certain page with
[calc]$Config->{NoSearch} = ''[/calc]
--
Akopia, Inc., 131 Willow Lane, Floor 2, Oxford, OH 45056
phone +1.513.523.7621 fax 7501 <heins@akopia.com>
I have a cop friend who thinks he ought be able to give a new ticket;
"too dumb for conditions".
_______________________________________________
Interchange-users mailing list
Interchange-users@www.minivend.com
http://www.minivend.com/mailman/listinfo/interchange-users
