Akelos Framework v1 forum archive. This forum is no longer maintained. To report bugs please visit https://github.com/akelos/akelos/issues

Akelos Programming: Diffrence in Scaffolding between RoR and Akelos

Bottom of Page

1 to 2 of 2

  1.  
    • CommentAuthorhoydaa
     

    Well, I have been playing around with Akelos for a few days, and I must admit that it is the most impressive PHP framework. Akelos is very similar to the RoR which is the right thing to do in my opinion. However, there is a substantial difference in the scaffolding. Please compare the following edit operations generated with RoR:

    def edit
    @post = Post.find(params[:id])
end

    and Akelos:

    function edit()
{
    if (empty($this->params['id'])) {
        $this->redirectToAction('listing');
    }
    if (!empty($this->params['post']) && !empty($this->params['id'])) {
        $this->post->setAttributes($this->params['post']);
        if ($this->Request->isPost() && $this->post->save()) {
            $this->flash['notice'] = $this->t('Post was successfully updated.');
            $this->redirectTo(array('action' => 'show', 'id' => $this->post->getId()));
        }
    }
}

    Akelos's edit function not also retrieves a record but also updates it, but MY POINT IS DIFFERENT. In Akelos's edit function, record with the id of $this->params['id'] is probably automatically fetched. I think this makes applications vulnerable. Consider that this is the edit operation of a user record, and I am getting the id of the user from the session. Then a person can type a URL like "/user/edit/[some id]" and edit any user record.

    Maybe, I am missing something. What do think about this problem? Is there any way to present such kind of automatic fetching?

    •  
      CommentAuthorbermi
     

    Hi hoydaa and welcome to the Akelos forums.

    The Akelos edit action in the scaffold is the same as Rails edit+update methods together. Nor Akelos or Rails scaffolds should be considered safe for production, as the name scaffold suggests they are meant to server as a base for implementing you application. After a scaffold is added to a new building project there is a lot of work to do to convert the scaffolded facade into a safe habitat. No one should consider living on the scaffold itself.

    Automatic model instantiation can be disabled in Akelos and might be disabled by default in future versions. Right now you can disable it by adding this to your app_controller.php

    var $_auto_instantiate_models = false;

    We might change the scaffold generator to match better the one in Rails once we implement RESTful web services.

    Keep in mind that params is populated with the data coming from SESSION, COOKIES, POST and GET in that order of precedence. A GET[user_id] attribute will never override a SESSION[user_id] attribute.

1 to 2 of 2

  1.  
Back to Discussions Top of Page