YII提出的安全Ajax请求

i'm currently writing a Application based on YII.
My action for index:

  public function actionIndex() {
    $data = array();
    $data['server'] = Server::model()->findByPk(1);
    $data['dataProvider'] = new CActiveDataProvider('ServerUserPermission', array('criteria' => array('condition' => 'serverID=:id', 'params' => array(':id' => 1))));
    $this->render('index', $data);
}

my ajax action:

public function actionAddPermission($server) {
    if(Util::checkServerPower($server, Permission::MODIFY_SERVER)) {
        $perm = new ServerUserPermission;
        $perm->userID = 1;
        $perm->serverID = $server;
        $perm->power = 10;
        try {
            if ($perm->save()) {
                echo "OK";
            } else {
                echo Util::print_r($perm->getErrors());
            }
        } catch (Exception $e) {
            echo 'Critical Error Code: ' . $e->getCode();
        }
    } else {
        echo 'No Permissions';
    }
}

My view links to the addPermission action by using a button:

echo CHtml::ajaxButton("Insert New Player", array('addPermission', 'server' => $server->serverID), array('success'=>'refresh'));

My function Util::checkServerPower(...) checks the current User of the Application. Consequence: Ajax requests in YII are handled by an Guest AuthWeb User, but i need to check whether the User is actually allowed to add permissions or not. I currently cannot think of a secured solution to protect malicious data send by other guests or not. Is it somehow possible to get the (server-side) userID of the Ajax-call?

Thanks anyway sincerly

写回答
好问题 0 提建议
追加酬金
关注问题
分享
邀请回答
编辑收藏删除结题
收藏举报

1条回答默认最新

关注

码龄粉丝数原力等级 --

被采纳

被点赞

采纳率
dongyangben6144 2013-08-26 07:43
关注
I would do it by using the built in access control and extending CWebUser. It might seem lengthy but I think it's a clean solution. (We already have Yii::app()->user->isGuest and the like, so why not check all permissions here?)

1) Activate the access control filter.

(In one controller or in /components/controller.php for all your controllers at once)

public function filters() { return array( 'accessControl' ); // Tell Yii to use access rules for this controller }

2) Add an access rule

In the concerned controller. (Sorry, I didn't bother with your index-action.)

public function accessRules() { return array( [ 'allow', 'actions'=>['AddPermission'], 'expression'=>'$user->has(Permission::MODIFY_SERVER)' ], ['deny'], // Deny everything else. ); }

3) Extend CWebUser

// components/WebUser.php class WebUser extends CWebUser { public function has( $permission) { // Check database for permissions using Yii::app()->user->id ... } }

4) Configure your app to use your new WebUser instead of CWebUser

// config/main.php 'components'=>[ 'user'=>[ 'class' => 'WebUser', ], ],
本回答被题主选为最佳回答 , 对您是否有帮助呢?

解决无用
评论打赏
分享
举报

评论

按下Enter换行，Ctrl+Enter发表内容

报告相同问题？

关注问题

YII提出的安全Ajax请求 ajax php
2013-08-25 19:27

回答 1 已采纳 I would do it by using the built in access control and extending CWebUser. It might seem lengthy b
Yii获取ajax请求ID ajax php
2012-02-07 09:22

回答 1 已采纳 Pass it as follows: <?= CHtml::ajaxButton('Click', $this->createUrl('path/here', array('myp
Yii在ajax请求上卸载bootstrap插件 ajax php
2012-02-22 14:55

回答 2 已采纳 You can selectively load it in your config/main.php. This might not be the best PHP but it should
yii2 view ajax,Yii2使用Modal同controller进行Ajax方式交互
2021-08-05 22:19

吾酔淸風的博客最近在使用Yii2模板自己搭建一个小网站，其中涉及到使用Modal进行一些小页面的交互设计。但是在使用Modal过程中，发现网络上虽然有一些教程，但是有些比较老，或者理解不到位，导致我在使用的过程中存在一些问题。...
Yii urlManager和jquery ajax GET请求 ajax php
2012-04-22 11:11

回答 2 已采纳 I've changed the seourlmanager class to add query string in the end: protected $_query; publ
Yii2为ajax搜索字段创建多语言网站 php
2018-04-09 07:50

回答 1 已采纳 First set up multi language for your site there is doc for this. Best way of auto support multi l
如何在Yii 2中跨Ajax请求使用ActiveForm实例？ ajax jquery php
2016-11-11 19:38

回答 1 已采纳 Okay, I have manage to do this, so I'll post the solution here and I'll open an issue on Github -
yii2 ajax csrf meta,Yii2 中CSRF的疑问（完结）
2021-08-05 16:11

蒋咔咔的博客如图，该页面是Ajax提交请求，那么第一个按钮点击后csrf值失效了，第二次提交失败返回400错误，求解！怎么让csrf的值可以刷新后用于第二次请求。不要让我关闭csrf,csrf本来就是为了防御这种请求的。经过楼下兄弟的...
在yii中构建Ajax ajax php
2014-03-20 21:22

回答 1 已采纳 The process will be the same pretty much as you would do without Yii. Obviously some of the method
使用Yii2通过AJAX登录设置cookie时遇到问题 ajax php
2016-10-01 13:56

回答 1 已采纳 As I suspected (see my earlier comment) response might not be correctly generated in case of simpl
Yii中CGridView上的额外Ajax ajax php
2014-01-02 01:21

回答 1 已采纳 When you delete some items from a grid, first ajax call is for delete request to server and second
yii2 分页ajax,yii2的分页和ajax分页
2021-08-06 12:33

falsecarefree的博客要想使用Yii分页类第一步:在控制器层加载分页类use yii\data\Pagination;第二步: 使用model层查询数据,并用分分页,限制每页的显示条数$data = User::find(); //User为model层,在控制器刚开始use了field这个model,...
Yii2在Ajax之后更新Listview的DataProvider php
2016-10-26 12:28

回答 2 已采纳 Finally I found myself the solution of my problem, but it could help the next readers. Everythin
Ajax 请求的坑
2022-02-21 03:07

冰雪青松的博客一、Ajax 请求的 CSRF 保护机制开发普通页面，在一般情况下，我们使用 jquery 的 Ajax 代替原生 js 向后端发起请求是很方便的。后端在一般情况下，我们使用的是像 laravel、Yii、ThankPHP 或者 CodeIgniter 等等...
Yii2.0 前后端分离前端ajax调用跨域的问题
2018-09-14 15:22

大红红的博客 Yii2.0有自己的一套防止跨域调用的机制，网上一搜一大把的解决方式，无非就是： use yii\filters\Cors; public function behaviors() { return ArrayHelper::merge([ [ 'class' => Cors::className(),...
没有解决我的问题, 去提问

悬赏问题

¥15 stata安慰剂检验作图但是真实值不出现在图上
¥15 c程序不知道为什么得不到结果
¥40 复杂的限制性的商函数处理
¥15 程序不包含适用于入口点的静态Main方法
¥15 素材场景中光线烘焙后灯光失效
¥15 请教一下各位，为什么我这个没有实现模拟点击
¥15 执行 virtuoso 命令后，界面没有，cadence 启动不起来
¥50 comfyui下连接animatediff节点生成视频质量非常差的原因
¥20 有关区间dp的问题求解
¥15 多电路系统共用电源的串扰问题

YII提出的安全Ajax请求

1条回答 默认 最新

1) Activate the access control filter.

2) Add an access rule

3) Extend CWebUser

4) Configure your app to use your new WebUser instead of CWebUser

悬赏问题

1条回答默认最新