validating access by url |
Hi all,
I have a multiuser application and the user can access to http://myapp/bills/edit/1 to edit the bill with id 1. Looking at that url the user can modify it to http://myapp/bills/edit/2 to edit the bill with id 2 But maybe the bill with id 2 belongs to another user!! there is a way to control that kind of accesses?? maybe with any configuration? To check it in database will be a lot of work (I have several controllers) Thanks in advance My apologies if it's a duplicated thread ...
Use a session for each user. Session data has their uid. If session uid and uid do not match they can't access that page/url.
Simpler is always better
Hi donpwinston,
I don't get you. I'm already using sessions. Is a correctly logged user who can access to that url and not should to ...
I think this is very straight forward. You have a user requesting information. The first thing to do is to see if that user has permission to access that information. i.e. does bill id 2 belong to that user or not. If not, they get an error message.
Less straight forward is using id's in urls. Your bill should be assigned a unique code upon creation, so the request url is more like: Code: Not: Now what are you going to change to guess the next bill? Even if you do guess a bill code, you will not have permission to view it anyway. Also, if I get a new bill marked id=27, I can now guess you have issued 27 bills. With a code, you have no idea. I would never user an id in a url. All my resources are accessed via a code, normally 16 characters long. But you MUST still make sure that the requesting user actually has permission to access the requested resource. Hope that helps, Best wishes, Paul. |
Welcome Guest, Not a member yet? Register Sign In |