Mask used events through web request info usage [5.3.0-B1]
- Alex
Each form needs to have one more hidden field (usually it has "events[prefix.special]" name and "OnEventName" value) to indicate how it's data needs to be processed when form will be submitted.
This doesn't pose any security risk, because user isn't allowed to do anything, unless he/she has corresponding permissions assigned. However if, due developer mistake, website data isn't as protected anymore, then supplying alternative "EventName or "prefix.special" might allow to retrieve that data.
Solution
I propose router classes (e.g. AbstractRouter) that deal with url parsing on the Front-End would also have access to the:
- headers (originally requested in Routing Ideas, but not implemented)
- other request info (e.g.
$_SERVER['REQUEST_METHOD'])
Then this information can be used to make same URL perform different actions depending on how it's accessed (via POST or GET). For example:
- when /platform/register.html url is accessed via GET, then show matching template
- when /platform/register.html url is accessed via POST, then execute "u.register:OnCreate" event on form data
Unfortunately each website have different URL structure it isn't possible to configure them upfront, but it's very simple to configure them on each project.