Symphony.

Hi, pretty new to Symphony but loving it now that I'm getting my head around it. One problem I've come up against is securely submitting forms from the front end that populate sections in the backend with an unique ID that refers to a user. I've noticed that you can simply edit the input elements value and essentially post forms as someone else.

This is a pretty big loophole for me as I'm looking to build a forum to really give Symphony a good real world test, but anyone with a bit of knowledge and a malicious streak could easily cause problems.

Is there a way to access a logged in users id from the session table using a custom event? I've yet to venture into that area of Symphony so am just scoping out the idea and looking for a bit of advice.

Thanks all.

I've noticed that you can simply edit the input elements value and essentially post forms as someone else.

This is why Default Event Values was created.

You could use Default Event Values.

Edit: @Lewis is indeed the fastest keyboard of the Old West! ;-)

Cheers for that guys. Finally got a chance to sit down and hook in that extension. IS working really well now. I think functionality like that should be included out of the box. You shouldn't need an extension to do this type of thing.

Also if you are using the members extension to handle authentication, each event has to pass an auth step before being in inserted/updated. These are setup in your member roles and you can choose from 'edit none', 'edit own' or 'edit all'. So your admin users could edit everyone's posts but normal users can only add new or edit their own entry.

Korelogic, I am using the Members section. That's a fantastic feature. Thanks for pointing it out. Can probably ditch the Default Event Values and just use that now.

I've actually noticed that it's possible to post as someone else on this forum. I posted a test comment after changing the hidden id value and the post appeared as being created by someone else. Not sure if the admin's are aware of that. It really should be locked down.

UPDATE: Just tried this and it seems to be working quite well. I did notice however that I had to enable the 'Create New' permission and then disable it (saving between changes) before lower level users where stopped from posting. Not a big problem but one to be aware of.

I've actually noticed that it's possible to post as someone else on this forum. I posted a test comment after changing the hidden id value and the post appeared as being created by someone else. Not sure if the admin's are aware of that. It really should be locked down.

Yes, it's a much older customized members extension.