devot:eeDevoted to ExpressionEngine

Adds an additional layer of security to the SafeCracker module by restricting which fields can be posted on a per-member-group basis

THE PROBLEM
Safecracker is an excellent tool giving non-programmers a means to enable submission of channel entries outside of the CMS control panel.

You can show as many or as few of your channel fields as you like in your edit forms, those you don’t include do not get updated. Conversely, those you do include always get updated, and this is a security problem.

For example, imagine an online application using a channel with many fields. Some are suitable for submission from a Safecracker form and some are not (perhaps ‘admin notes’ or ‘store credits’. Could be anything). With SafeCracker in it’s current state, if the name of a sensitive field can be established, it can be updated by injecting a hidden field into the edit form.

THE SOLUTION
SafeSharpener provides a new template tag to specify which fields will be recognised by the submitted form on a global or per-member-group basis.

An extension then runs prior to SafeCracker processing that cleans the form submission of anything not included in your allowed fields.

Download SafeSharpener

SafeSharpener Links

• Documentation

This entry was created June 15, 2011, 1:15 pm.
This entry was last updated June 15, 2011, 6:17 am.

Disclaimer: Information about ExpressionEngine add-ons is provided as a service to you, the user, and every member of the ExpressionEngine community. devot:ee is not responsible if you hose, mangle, wreck, or otherwise destroy your EE website by installing an add-on that you found out about at this site, regardless of its rating, Favorites status, commercial or free status, or general popularity. Caveat EEmptor!