CodeIgniter Forums

Full Version: validating access by url
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Hi all,

I have a multiuser application and the user can access to http://myapp/bills/edit/1 to edit the bill with id 1.

Looking at that url the user can modify it to http://myapp/bills/edit/2 to edit the bill with id 2

But maybe the bill with id 2 belongs to another user!!

there is a way to control that kind of accesses?? maybe with any configuration? To check it in database will be a lot of work (I have several controllers)

Thanks in advance

My apologies if it's a duplicated thread ...
Use a session for each user. Session data has their uid. If session uid and uid do not match they can't access that page/url.
Hi donpwinston,

I don't get you. I'm already using sessions. Is a correctly logged user who can access to that url and not should to ...
I think this is very straight forward. You have a user requesting information. The first thing to do is to see if that user has permission to access that information. i.e. does bill id 2 belong to that user or not. If not, they get an error message.

Less straight forward is using id's in urls. Your bill should be assigned a unique code upon creation, so the request url is more like:

Code:
Not:
http://myapp/bills/edit/1

But:
http://myapp/bills/edit/jh234hdhpewsdkfj

Now what are you going to change to guess the next bill? Even if you do guess a bill code, you will not have permission to view it anyway. Also, if I get a new bill marked id=27, I can now guess you have issued 27 bills. With a code, you have no idea.

I would never user an id in a url. All my resources are accessed via a code, normally 16 characters long. But you MUST still make sure that the requesting user actually has permission to access the requested resource.

Hope that helps,

Best wishes,

Paul.