CodeIgniter Forums
How to delete only own records??? - Printable Version

+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Archived Discussions (https://forum.codeigniter.com/forum-20.html)
+--- Forum: Archived Development & Programming (https://forum.codeigniter.com/forum-23.html)
+--- Thread: How to delete only own records??? (/thread-27626.html)



How to delete only own records??? - El Forum - 02-16-2010

[eluser]123wesweat[/eluser]
Hi,

I notice i only check if an user is logged in and then he can delete records from table education. Like /education/delete/userid/educationid

but it's also possible to delete someone else his records if you have the right userid + educationid.

What would be good practice to prevent this??
store an unique number in table education??

or check if the user_id equals uri segment x if true
Code:
if($user_id == $this->uri->segment(3) )
{
can delete
} else [
echo 'but why?';
}

Any tips suggestions??


How to delete only own records??? - El Forum - 02-16-2010

[eluser]danmontgomery[/eluser]
Validate the logged in user's id against userid before the record gets deleted...


How to delete only own records??? - El Forum - 02-16-2010

[eluser]123wesweat[/eluser]
@noctrum, you are fast.

I have edit my post with
Code:
if($user_id == $this->uri->segment(3) )
{
can delete
} else [
echo 'but why?';
}

Or something like
Code:
function delete($delete_user_id, $education_id)
        {
        $data['user_name'] = $this->dx_auth->get_username('username');
        $user_id = $this->dx_auth->get_user_id('username');
        if($delete_user_id == $user_id){
                $this->user_profile_features->delete_profile_feature_education($user_id, $education_id);
                } else {
                echo "but why?";
                return false;
            }
        }



How to delete only own records??? - El Forum - 02-16-2010

[eluser]danmontgomery[/eluser]
And if you want to take it one step further, it would be best to not even give users the option to delete things they won't have permission for... Which just means abstracting the access check, and either hiding the items from a list, or just hiding the delete link/button/icon in cases where the user doesn't have access.