Home/ Questions/Q 6212559
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-24T06:32:16+00:00

Now: resolved – no reproducible anymore For some specific application security, I have the

  • 0

Now: resolved – no reproducible anymore

For some specific application security, I have the following createQuery function on a table, ie you can only access the table record if you have the “Administrator” credential or if you are the user that is stored in the MembershipDelegate relation.

class OrganisationTable extends Doctrine_Table
function createQuery($alias = ''){

    if (!$alias){
        $alias = 'o';
    }

    $query = parent::createQuery($alias);
    try {
        $user = sfContext::getInstance()->getUser();
    }catch(Exception $e){
        if ($e->getMessage() == 'The "default" context does not exist.'){
            return $query;
        }else{
            throw $e;
        }
    }

    if ($user->hasCredential('Administrator')){
        //all good

    }else{


        $userId = $user->getAttribute('userId');
        print "<!--testaa ".print_r($user->getCredentials(),1).'-->';
        $query->
        leftJoin("$alias.MembershipDelegate mdelsec")->
        addWhere ("mdelsec.joomla_user_id=$userId");
    }

    return $query;
}

This seems to work fine at all levels, however there is a choice validator for which the $user object seems to come back empty

    /**
     * Person form base class.
     *
     */
     ...
    abstract class BasePersonForm extends BaseFormDoctrine
    {
      public function setup()
      {
        $this->setWidgets(array(

    ...
          'organisation_id'                          => new sfWidgetFormDoctrineChoice(array('model' => $this->getRelatedModelName('Organisation'), 'add_empty' => true)),


    class PersonForm extends BasePersonForm{

        public function configure(){

            $this->widgetSchema['organisation_id']->setOption('renderer_class', 'sfWidgetFormDoctrineJQueryAutocompleter');
            $this->widgetSchema['organisation_id']->setOption('renderer_options', array(
            'model' => 'Organisation',
            'url' => NZGBCTools::makeUriJoomlaCompatible(
                    sfContext::getInstance()->getController()->genUrl('organisation/jsonList'))
            ));
            $this->validatorSchema['organisation_id']->setOption('required',false);

is there any other way to get the user object in the model?

This approach to row level security may not be MVC by-the-book, but is IMO safer and superior than implementing the same security concepts in the actions:

  • It can be used with out of the box admin-generator modules
  • It is much harder to forget to implement it somewhere
  • It may at times not require any credentials, only Super Admin access
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    It now appears that this question was a fluke as I can’t reproduce the problem after fixing other issues around the user authentication.

    • 0