Authenticators are objects that decide wheather the user is authenticated and has the right credentials. This usually means to check wheather the user is logged in and look up some user credentials in a database or LDAP service. PntNoAuthenticator is the default authenticator of phpPeanuts and it allows all users access to everything and pretends they have all credentials. In order to add authentication to an existing phpPeanuts application you only have to build your own Authenticator class and make the SecurityManager return an instance of it.
(phpPeanuts >= 2.2) PntError that signals a possible security threat. Caught by that will call and retrhow the exception so that it will be logged.
User interface objects check with the SecurityManager wheather they may show a page, dialog or part, or perform an action. PntSecurityManager defines the api for this and provides defaults by calling upon larger unit checks or lower security level checks. For example if a user see objects of a certain type, PntSecurityManager will by default also allow them to edit and delete objects of that type. Application developers are expected to override this on if they want more strict control. In the end PntSecurityManager allows all users to access all applications (the largest units) therefore allowing all users everything.
(phpPeanuts >= 2.2) PntSecurityException that is thown when a validation failure can not be caused by the user entering invalid data nor by non-existence of domain objects. The two remaining causes ar:
- a bug in the software that created the url, form or AJAX request or
- a user manipulating with the request, possibly to find exploits (this includes the use of exploit scanners)
|