Question about safety and good practices #1349
Replies: 2 comments 3 replies
-
|
Hi! I'm not sure I really understand the question. How you organize folders is not really related to how secure your application is. Everything under the web root will be accessible to everyone. Before any sensitive database operation, you should use the redirect component with a where clause that checks the current user is authorized. |
Beta Was this translation helpful? Give feedback.
-
|
the way I work : and I created one specific file for each type of users starting with the redirect component to check the rights of the user : display_doc_3.sql It is a rather crude way to manage the rights since you have to create 2 files for the same purpose ; you can choose to create only one file with a check of the rights level at the beginning of each file and a filter on the delete option (if user type is editor then nothing, if user type is supervisor then delete.....) but I prefer the double files options since it is easier to read and even it means more files in your folder, you know where you are. |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
I am currently developping an app for a company. The aim of this app is to allow clients to access some documents tied to a product made by the company I work for. There are different levels of users, where client companies can create managers (who can access multiple groups of products) and workers (who can access multiple products).
At the moment, I have organised the files under this directory structure :
/ model
/ back
/ front
The handlers take care of all the writing, modifying and deleting from the database (I am using the 'http-header' component to hide the handlers and redirect to pages).
The manage-entity.sql files show a page with options to see a certain entity (manage-companies.sql to see a table of companies, with options to add, delete etc).
The displays show a specific entity with its details in a datagrid, and the forms are quite self descriptive.
The back is composed of all pages that the administrators will have access to to create most of the users and products.
The front is dedicated for users, and as some users can create other users of products (a company can create manager accounts for its employees if needed etc).
Here is my question : Would it be safer to have a dedicated handlers folder in the front folder for any interaction that the users can have with the database ? Or can the users just call the handlers and it should be no problem ?
Beta Was this translation helpful? Give feedback.
All reactions