I develop a web application with CakePHP 2.9.9 where users can register and should use the application within their respective user role context. Before I will go online, I would like to ask some things about how to make the application more secure apart from activating the security component.
I guess I have to read out essential things like the user id or the user role in every function by using AuthComponent::user('id') to get fresh data and prevent manipulating user rights?
Do you recommend using ACLs in any case, or is it more likely for complex applications? My application is not highly complex and I think that using ACLs do not help me to protect users from manipulating sent GET or POST IDs I usefor reading or writing records. If I have to code my own protection anyway, I'm not sure if it is worthwhile to use ACL as a blackbox and cannot assess the risc of getting corrupt ACL data later.
Are view variables or other data visible to users with debug level set to 0 in any scenario? When developing it is very helpful to use debug kit and view all the data. But which data can be gathered without debugging?