• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
How to delete only own records???

#1
[eluser]123wesweat[/eluser]
Hi,

I notice i only check if an user is logged in and then he can delete records from table education. Like /education/delete/userid/educationid

but it's also possible to delete someone else his records if you have the right userid + educationid.

What would be good practice to prevent this??
store an unique number in table education??

or check if the user_id equals uri segment x if true
Code:
if($user_id == $this->uri->segment(3) )
{
can delete
} else [
echo 'but why?';
}

Any tips suggestions??

#2
[eluser]danmontgomery[/eluser]
Validate the logged in user's id against userid before the record gets deleted...

#3
[eluser]123wesweat[/eluser]
@noctrum, you are fast.

I have edit my post with
Code:
if($user_id == $this->uri->segment(3) )
{
can delete
} else [
echo 'but why?';
}

Or something like
Code:
function delete($delete_user_id, $education_id)
        {
        $data['user_name'] = $this->dx_auth->get_username('username');
        $user_id = $this->dx_auth->get_user_id('username');
        if($delete_user_id == $user_id){
                $this->user_profile_features->delete_profile_feature_education($user_id, $education_id);
                } else {
                echo "but why?";
                return false;
            }
        }

#4
[eluser]danmontgomery[/eluser]
And if you want to take it one step further, it would be best to not even give users the option to delete things they won't have permission for... Which just means abstracting the access check, and either hiding the items from a list, or just hiding the delete link/button/icon in cases where the user doesn't have access.


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2019 MyBB Group.