CodeIgniter Forums

Full Version: How to delete only own records???
You're currently viewing a stripped down version of our content. View the full version with proper formatting.

El Forum

[eluser]123wesweat[/eluser]
Hi,

I notice i only check if an user is logged in and then he can delete records from table education. Like /education/delete/userid/educationid

but it's also possible to delete someone else his records if you have the right userid + educationid.

What would be good practice to prevent this??
store an unique number in table education??

or check if the user_id equals uri segment x if true
Code:
if($user_id == $this->uri->segment(3) )
{
can delete
} else [
echo 'but why?';
}

Any tips suggestions??

El Forum

[eluser]danmontgomery[/eluser]
Validate the logged in user's id against userid before the record gets deleted...

El Forum

[eluser]123wesweat[/eluser]
@noctrum, you are fast.

I have edit my post with
Code:
if($user_id == $this->uri->segment(3) )
{
can delete
} else [
echo 'but why?';
}

Or something like
Code:
function delete($delete_user_id, $education_id)
        {
        $data['user_name'] = $this->dx_auth->get_username('username');
        $user_id = $this->dx_auth->get_user_id('username');
        if($delete_user_id == $user_id){
                $this->user_profile_features->delete_profile_feature_education($user_id, $education_id);
                } else {
                echo "but why?";
                return false;
            }
        }

El Forum

[eluser]danmontgomery[/eluser]
And if you want to take it one step further, it would be best to not even give users the option to delete things they won't have permission for... Which just means abstracting the access check, and either hiding the items from a list, or just hiding the delete link/button/icon in cases where the user doesn't have access.