Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Archived Discussions Archived General Discussion codeigniter permissible user actions
codeigniter permissible user actions
  • El Forum
    Guest
  •  
#1
02-01-2011, 12:12 PM

[eluser]otn3m3m[/eluser]
hi typically a codeigniter mvc controller accepts an id as a parameter for a controller function. For example:
/photo/edit/1

A user would edit image id 1 from the photo controller. What is the best practice to prevent a user from editing someone else's image..for example editing id 2? Restriction has to include more than just verifying a logged in user, because a logged in user will still be able to edit image 2.

I was thinking that i would write a library that implements a permission function, that is called on all controller functions. I would pass the user id and the url to the library function which would contain logic to verify if a user could execute that function or in this case edit an image.

The problem i see is..it will be tedious to write the logic code for all functions of my site, as each is different logic. Is there a better generally practiced way?
  • El Forum
    Guest
  •  
#2
02-01-2011, 07:15 PM

[eluser]Gerep[/eluser]
Hi otn3m3m,

I don't know if it will help you but I think that a combination between the image id and a token will do the trick, something like this.


view
Code:
<?php
$token = 'SouBrasileiro';
$id = 1;
$hash = md5($token . $id);
?>

<a href="http://www.yoursite.com/images/1/&lt;?php echo $hash;?&gt;">Edit Image</a>

controler
Code:
function images($id, $hash)
    {
        $token = 'SouBrasileiro';
        if (md5($token . $id) == $hash) {
            echo 'yesssssssssssssss';
        } else {
            echo 'noooooooooooooo';
        }
    }

Try to change the ID in your URL and the hash will be another one.

I think thats what you need, don't know if it will work 100% for you but thats what came to my mind, hope it helps =)
  • El Forum
    Guest
  •  
#3
02-01-2011, 10:09 PM

[eluser]cmgmyr[/eluser]
otn3m3m,
I would suggest that you not to that (sorry Gerep). Even by hashing something like that you leave yourself open for security issues. This URL could be saved as history in their browser and picked up by the next person that uses it or could be copy/pasted to someone else. There are a number of other possibilities too. You want to do something similar to this basic example:
Code:
$user_id = 100;
$image_id = 25;

$sql = $this->db->query("SELECT `id` FROM `user_images` WHERE `id` = ".$this->db->escape($image_id)." AND `user_id` = ".$this->db->escape($user_id)."");
if($sql->num_rows() == 0)
{
die('Sorry, this is not your image.');
}
else
{
//continue on...
}

You always want to keep permissions on the Session/Database side instead of something that the user can mess with (the URL). I hope that helps.

-Chris
  • El Forum
    Guest
  •  
#4
02-01-2011, 11:25 PM

[eluser]Mike DeFelice[/eluser]
I do this a lot and cmgmyr has the perfect solution, I do it for all of my permissions as well.
  • El Forum
    Guest
  •  
#5
02-02-2011, 04:18 AM

[eluser]Gerep[/eluser]
Hi cmgmyr,

You are right about the security issues but I think thats not the problem.

I think that otn3m3m wants to find a way to avoid the url change. What if he doesn't have the user_id on the table? He will need to change every table on his database an that would be bad...

He wants to avoid something like images/delete/3 and the user simply type another id(number) on the URL and press enter and then the image will be deleted... he just want to make sure the user won't be able to change the URL parameters

If I'm not mistaken, I think its all about cross-site request forgery.

Thats what I think he needs =)
  • El Forum
    Guest
  •  
#6
02-02-2011, 07:46 AM

[eluser]cmgmyr[/eluser]
Hi Gerep,
I'm going to have to disagree with you again Smile There is no reason why he shouldn't be using images/delete/3, that is essentially what I do in all of my projects. That's why the user id and image id is checked against the database. If the user id's aren't associated with the tables I would put this in ASAP. Yes, it's a little more work right now, but if these aren't in the database I would call that bad practice (in my opinion). If the developer of a site/app is really worried about security and users messing with stuff, this is definitely the way to go.
  • El Forum
    Guest
  •  
#7
02-02-2011, 09:16 AM

[eluser]Gerep[/eluser]
Hi again cmgmyr =)

I was not saying you were wrong, I work the way you do, no doubt it is the best option for security.

I was trying to help otn3m3m with a simple solution and as I said, the code came up to my mind and I wrote it =)

By the way, where is otn3m3m, he's the one interested and only you and I are really talking about hehehe

See ya...
  • El Forum
    Guest
  •  
#8
02-02-2011, 09:30 AM

[eluser]cmgmyr[/eluser]
No problem. It's good for discussion anyways. Hopefully this helps someone out in the future too.

Good point, where did he go? Smile
  • El Forum
    Guest
  •  
#9
02-03-2011, 09:34 AM

[eluser]otn3m3m[/eluser]
hi guys,

thanks for the replies...i think i am going to implement a permission based system that ties objects to users. Seams to be more secure.

thanks again.
  • El Forum
    Guest
  •  
#10
02-03-2011, 09:52 AM

[eluser]Gerep[/eluser]
Hi otn3m3m,

If possible, paste your code or link, something about it...maybe it will help someone else :lol:




Theme © iAndrew 2016 - Forum software by © MyBB