You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I really can't find reliable place for ACL checks.
If I place it in beforeDispatch() then I don't know existence of controller/action and can't send the adequate response. If 404 is sent the user could think that the actually existing page doesn't exist. If 403 is sent that user can think that actually nonexisting page exists.
It should send 403 and 'you have to keep more access rights' for existing page and 404 'page you want doesn't exist' for nonexisting page.
If I place acl in beforeExecuteRoute() then initialize() is executed before acl check and cause many problems. I perceive initialize() like a part of the action which executes right before. There are many cases when you want do some thing for any action in the concrete controller (because, for example, it is used in the controller layout for all the actions) and this thing requires respective access (for example read a data for the user). But you can't do this safety because initialize() is called before acl check. And there could happend accident when app tries to get user's data when session isn't logged-in and there is no user actually...
I'm proposing to make some event executes when app knows existence of the controller and the action, but executes before any-any business logic.
The text was updated successfully, but these errors were encountered:
I really can't find reliable place for ACL checks.
If I place it in beforeDispatch() then I don't know existence of controller/action and can't send the adequate response. If 404 is sent the user could think that the actually existing page doesn't exist. If 403 is sent that user can think that actually nonexisting page exists.
It should send 403 and 'you have to keep more access rights' for existing page and 404 'page you want doesn't exist' for nonexisting page.
If I place acl in beforeExecuteRoute() then initialize() is executed before acl check and cause many problems. I perceive initialize() like a part of the action which executes right before. There are many cases when you want do some thing for any action in the concrete controller (because, for example, it is used in the controller layout for all the actions) and this thing requires respective access (for example read a data for the user). But you can't do this safety because initialize() is called before acl check. And there could happend accident when app tries to get user's data when session isn't logged-in and there is no user actually...
I'm proposing to make some event executes when app knows existence of the controller and the action, but executes before any-any business logic.
The text was updated successfully, but these errors were encountered: