F3 Framework: scope and usage of hive variables

Question

I've been using Fat Free Framework 3.6 for a while and I'm having some trouble making sure of a few things related to the variables used; also please note that I'm not that knowledgeable as a PHP programmer. Here are some examples (I'm using a few "shortcut" methods for the SQL mapper, but I guess it's still readable):

function testroute() {

    // Q1 - Using f3-access to authorize a logged in user to advance on a route
    $this->access->authorize($this->f3->get('SESSION.user.group_id'));


    // Q2 - Change the f3 UPLOADS variable
    $this->f3->update('UPLOADS', '/different/location');


    // Q3 - Instantiante Users and User Groups from DB
    $users = new User($this->db);
    $userGroups = new UserGroups($this->db);

    // Load all records to array
    $arrayOfUsers = $users->all();
    $arrayOfUserGroups = $userGroups->all();

    // Make the arrays available to the template
    $this->f3->set('arrayOfUsers', $arrayOfUsers );
    $this->f3->set('arrayOfUserGroups', $arrayOfUserGroups );

    // Render the View
    $this->f3->set('view','content.test.htm');
    $template=\Template::instance();
    echo $template->render('layout.sidebar.htm');
}

Considering the example code above:

Can the SESSION.user.group_id variable be tampered with/exploited by a logged in user, changing the value stored for its usergroup? If so, what is the/a more secure way of doing things like this, like having a isAdmin flag set at login?
Does changing the UPLOADS variable makes it different for the entire hive (i.e. all users), or is the change only for the current user?
Within the template, is there a way of using the group_id value of a given user to get a different key of the related userGroup, like it's slug? In the example below, I'm trying to avoid looping through @arrayOfGroups and for that I tried using array_search, but it returns empty (actually it returns the slug for id=0), i.e.:

<include href="{{ 'navbar.htm' }} />

<repeat group="{{ @arrayOfUsers }}" value="{{ @item }}" >
```
<tr class="">
    <td>{{ @item.username }}</td>
    <td>{{ @item.usergroup_id }}</td>
    <td>{{ @arrayOfUserGroups[array_search(@item.usergroup_id].slug }}</td>
</tr>
```
</repeat>
In the last example, I have an <include> reference for a nav bar, which in turn will have <li></li> elements for the nav items. What is the appropriate way of, using this testroute() controller, apply <li class="active"></li> to a specific item?

Cheers

score 1 · Accepted Answer · answered Jul 23 '17 at 21:55

Question #1: can a logged in user change its group?

No, a user cannot directly modify the contents of SESSION (unless you've provided him a way to do so). The only thing that can be exploited is the access itself, if the session id gets stolen (aka "session hijacking" cf. here or there).

Now, for the sake of flexibility, you'd better save the bare minimum inside SESSION. Storing the user group in the session prevents your from being able to dynamically change the group of a logged in user (the change will take effect on the next login). I'd rather advise to only store the user id and retrieve the group from it.

Question #2: Does changing the UPLOADS variable makes it different for the entire hive (i.e. all users), or is the change only for the current user?

Only for the current user.

NB: the entire hive is "only for the current user". Only cached variables are shared.

Question #3: How to retrieve a specific group from $arrayOfUserGroups?

$arrayOfUserGroups is computed from $userGroups->all() which I guess is the result of the DB\SQL\Mapper->find() method. That method doesn't index the results by id, only by order of appearance in the SQL output.

So one way to fix your issue would be to reindex the result before returning it. Something like:

function all() {
  $groups=$this->mapper->find('');
  $all=[];
  foreach ($groups as $group)
    $all[$group->id]=$group;
  return $all;
  // or if you prefer a one-liner:
  return array_combine(array_map(function($g){return $g->id;},$groups),$groups);
}

Now in your template:

{{ @arrayOfUserGroups[@item.usergroup_id].slug }}

Question #4: how to activate a nav item?

There are various ways to achieve this, and it depends on several factors like the navbar hierarchy depth, your routing structure (naming convention for URLs or aliases, static or dynamic routes), etc.

So I'll assume you're using a basic navbar with one level of hierarchy, no alias, and no dynamic route. In that case, you could hold the list of nav items (paths+labels) in one variable and compare them with the current PATH. E.g:

<repeat group="@navItems" value="@item">
  <li class="{{ @item.path==@PATH ? 'active' : '' }}">
    <a href="{{ @item.path }}">{{ @item.label }}</a>
  </li>
</repeat>

Q1: Thanks for those reads - insightful. As for the user_group storage, I thought of this instead of doing an audit query to the database. For that particular issue of change, I use a method that refreshes a bunch of session variables when called, including that one. — acseven, Jul 25 '17 at 11:11
Q4: thanks for the pointer - so essentially I have to prepare a variable just like any other. I was wondering if there was something else I could do on the templates themselves, but it's probably tidier that way. Again,thanks a lot for your input, it helped a bunch to make some sense of the bigger picture with variables. — acseven, Jul 25 '17 at 11:11
Q2: Ah, that makes sense. Could you elaborate on the "cached variables" though, you mean when set with a TTL `$f3->set('key', 'value', 90)`? — acseven, Jul 25 '17 at 11:12
Q3: Ok, thanks for the clarification, if I need it I have to reindex it. I'm guessing using the native array_ calls should be more efficient that just looping with the foreach? — acseven, Jul 25 '17 at 11:12
Q2: well PHP/F3 variables are not persistent, unless you cache them. The framework provides numerous ways of caching data: using the third parameter of the base [set()](https://fatfreeframework.com/3.6/base#set) method, using the third parameter of the mapper [find()](https://fatfreeframework.com/3.6/sql-mapper#find) method, using the [Cache](https://fatfreeframework.com/3.6/cache) class directly, etc. — xfra35, Jul 25 '17 at 11:48
Q3: the difference in performance in [negligible](https://stackoverflow.com/questions/18144782/performance-of-foreach-array-map-with-lambda-and-array-map-with-static-function) for a common use, so it's all about choosing the easiest code to read for you. — xfra35, Jul 25 '17 at 11:57

F3 Framework: scope and usage of hive variables

1 Answers1