Checking Permissions in Tool for a Block Type? (Technical)
Permalink
I have hit a bit of a stumbling block whilst developing a new block (sorry, couldn't resist).
Basically I want to create a block that makes some database changes (using AJAX), but want to keep the site secure. I am currently doing this with a c5 tools file but, as Remo pointed out to me recently, this can be called by anyone and no permissions are checked. Due to the nature of the block it would be easy to inject SQL and break the site, even if I closely validate the post variables.
If it were a single page I could put the code in the controller and it would be inaccessible by anybody without permissions on the page. Similarly I could use advanced permissions on a block instance and put the controller method in there, however I want it to be easy for a client to administrate.
I have currently written it as a tool, and would check permissions in here but since it is associated with no particular page this is not possible.
I can write my own code, I just wondered if any fellow developers out there could think of a workable way to do this? Hopefully I'm missing an obvious solution! Thanks in advance.
Basically I want to create a block that makes some database changes (using AJAX), but want to keep the site secure. I am currently doing this with a c5 tools file but, as Remo pointed out to me recently, this can be called by anyone and no permissions are checked. Due to the nature of the block it would be easy to inject SQL and break the site, even if I closely validate the post variables.
If it were a single page I could put the code in the controller and it would be inaccessible by anybody without permissions on the page. Similarly I could use advanced permissions on a block instance and put the controller method in there, however I want it to be easy for a client to administrate.
I have currently written it as a tool, and would check permissions in here but since it is associated with no particular page this is not possible.
I can write my own code, I just wondered if any fellow developers out there could think of a workable way to do this? Hopefully I'm missing an obvious solution! Thanks in advance.
