Security Issue

[eluser]haris244808[/eluser]
Hi there...
I am trying to solve a security issue about links...

suppose ex: we want to show a specific content and we use a link like:

Code:

"href = baseurl().\'content/'.$content_nr ";

where $content_nr is the id of content got from db...

when the user clicks...it will send to a function like :

Code:

function($content_nr){
//depending on the $content_nr you get your data from db and show it to the user
}

now in the status bar the link is shown together with the $content_id ...

now if u have 2 type of users: Admin and User

And you show diferent topics to them...ExTopicA will be shown only to the Admin and others will be shown to user B) hovewer they both will have the ability to edit the content... but only shown contents...

And as i said when they click to their content to edit it in the status bar the $content_id is shown...andif you cange that from the status bar to another content_id (ex to Adminusers content_id) ...the content which should be restricted to the user will ve shown ...

HOW CAN I PREVENT THIS?? ANY IDEA

[eluser]srpurdy[/eluser]
Build logic into your method so that it's not possible. Basic way to do this would be to have a user_id field where it's not possible to edit it if the user_id doesn't match the user trying to edit. You can put a clause in to allow "admin" to edit it no matter what. Really as simple as a db query + an if statement like

Code:

if($this->session->userdata['user_id'] == $db_var->user_id OR $admin == true)
{
edit.... allowed
}
else
{
edit not allowed
}

Of course these are just example varables you'll need to do this based off what auth your using and how you check for admin... This can get even more complex if you have multiple user groups, with various access rights. But in a nutshell that's a simplistic solution.

[eluser]haris244808[/eluser]
[quote author="srpurdy" date="1364923723"]Build logic into your method so that it's not possible. Basic way to do this would be to have a user_id field where it's not possible to edit it if the user_id doesn't match the user trying to edit. You can put a clause in to allow "admin" to edit it no matter what. Really as simple as a db query + an if statement like

Code:

if($this->session->userdata['user_id'] == $db_var->user_id OR $admin == true)
{
edit.... allowed
}
else
{
edit not allowed
}

Of course these are just example varables you'll need to do this based off what auth your using and how you check for admin... This can get even more complex if you have multiple user groups, with various access rights. But in a nutshell that's a simplistic solution. [/quote]

yeah the way u r telling its like checking if the user is logged in or not...and that can be done in constructor...
but the situation i am in its kindda diferent...however thnx...i solved it