[jifty-devel] load_by_cols and access control
Jesse Vincent
jesse at bestpractical.com
Tue Feb 27 09:53:52 EST 2007
On Tue, Feb 27, 2007 at 09:51:19AM -0500, Henry Baragar wrote:
> Hello,
>
> Is it the intention that load_by_cols (and id) bypass access control?
>
> It surprised me, with my current_user_can definition, that I can load a record
> (using load_by_cols) but not read any of the columns (other than id). Is
> there a laod_by_cols wrapper method, similar to _value(), missing from
> Jifty::Record?
Often times, the access control decisions depend on the content of the
record (and there are other ways to load records). What attack are you
concerned about?
>
> Regards,
> Henry
> _______________________________________________
> jifty-devel mailing list
> jifty-devel at lists.jifty.org
> http://lists.jifty.org/cgi-bin/mailman/listinfo/jifty-devel
>
--
More information about the jifty-devel
mailing list