I have been using CakePHP for a long time now and enjoy every second. It provides a productive, easy to use and well document platform for PHP application. The key advantages for me are – transparent OR mapping, a strong Model View Controller framework, and tons of extra utilities that make your life better.
I have came across a possible security issue in one of cakePHP code examples. This section of code is responsible to authorize or un-authorize clients access to a certain action (MVC flow)
<?php function isAuthorized() { if ($this->action == 'delete') { if ($this->Auth->user('role') == 'admin') { return true; } else { return false; } } return true; } ?>
The major security rule this code is breaking is – never ever have 'return true' as a default for an authorization method.