[jifty-devel] load_by_cols and access control

Jesse Vincent jesse at bestpractical.com
Tue Feb 27 09:53:52 EST 2007




On Tue, Feb 27, 2007 at 09:51:19AM -0500, Henry Baragar wrote:
> Hello,
> 
> Is it the intention that load_by_cols (and id) bypass access control?
> 
> It surprised me, with my current_user_can definition, that I can load a record 
> (using load_by_cols) but not read any of the columns (other than id).  Is 
> there a laod_by_cols wrapper method, similar to _value(), missing from 
> Jifty::Record?

Often times, the access control decisions depend on the content of the
record (and there are other ways to load records). What attack are you
concerned about?

> 
> Regards,
> Henry
> _______________________________________________
> jifty-devel mailing list
> jifty-devel at lists.jifty.org
> http://lists.jifty.org/cgi-bin/mailman/listinfo/jifty-devel
> 

-- 


More information about the jifty-devel mailing list