Authorization question - Trongate v1

Authorization question
2 years ago

#1

I created a custom _make_sure_allowed authorization method to restrict access to records on pages by organization ID. Every user when logged in has a session variable org_id that is compared against every database record they try to access which has a column of org_id.

Initially the method failed to work until I discovered that it is blocked by a JS constant called token at the end of every show.php file that is created using the TG app. At the end of the show.php file is some JS code.

When I comment out the first line with the token constant, the authorization method works perfectly. The constant does not exist in the create.php view of trongate_administrators module but it is a JS variable in the members module from the Modules market place. I found that constant in admin.js in the public folder.

Questions:

1. What is the purpose of the token JS constant in the show.php files?
2. Does removing it have any possible negative implications?
3. Why does it block access to my authorization method?

2 years ago

#2

Hello,
1. What is the purpose of the token JS constant in the show.php files?
Look at the memers/controller file Show method.

This code is security for your website. 2 lines and the page is secure.

2. Does removing it have any possible negative implications?
Yes, if you do not put your own security in.

3. Why does it block access to my authorization method?
We would have to see your code. There is probably a conflict somewhere.

Dan

2 years ago

#3

Dan,

I do not use the Members Module although I have looked at the code in it and borrowed some ideas from it. My authorization code is as follows: