⚠ In case you've missed it, we have migrated to our new website, with a brand new forum. For more details about the migration you can read our blog post for website migration. This is an archived forum. ⚠

  •     

profile picture

Security concern about multiuser data in a table



Wibi

Wibi
  • profile picture
  • Member

Posted 02 November 2012 - 11:47 AM

Hi,
I have question about security for editing/deleting data in a table.
For example, I have table with name [b]my_files[/b] with field:


id user_id my_file
1 100 abc
2 100 def
3 105 cde


when user logged in as userid 100, I can simply display filtered data my_files table to user with code,:


function myfunction(){
.......
$crud->set_table('my_files');
$crud->where('user_id',$this->session->userdata("loginuserid"));
......
}


Unfortunately $crud->where only work for list, not for update/delete
When it is about update/delete record, other user still can see/update/delete others user data.
For example, when I logged in with user_id: 105, I can edit/delete data in table my_files for id 1 (owned by user 100) by accessing url:

www.mydomain...../memberarea/myfunction/edit/1 or www.mydomain...../memberarea/myfunction/delete/1

Is there any simillar features like $crud->where command that I can use for securing edit/delete data


eg. $crud->where_delete('user_id',$this->session->userdata("loginuserid"));


so when url www.mydomain...../memberarea/myfunction/delete/1 called, it will execute

delete from 'my_files' where `id`='1' and `user_id`='105'

instead of

delete from 'my_files' where `id`='1'

Also for updating record, it will not show the edit form when additional where condition not meet.

any idea?

victor

victor
  • profile picture
  • Member

Posted 02 November 2012 - 12:33 PM

Hi, Wibi and welcom to the forum! There is a solution, but I'm busy now. I can help you later.

victor

victor
  • profile picture
  • Member

Posted 03 November 2012 - 08:18 AM

This is a simplified version of function, but it works.


var $user = 2;

function pr() {

// validation init
$this->security();
$crud = new grocery_CRUD();
$crud->set_table('my_files');
$crud->where('user_id', $this->user);
$output = $crud->render();
$this->_example_output($output);
}

function security() {
$method = $this->uri->segment(3);

if ($method == "edit" or $method == 'update_validation' or $method == 'delete') {
$id = $this->uri->segment(4);
$result = $this->db->get_where('my_files', array('id' => $id), 1)->row();
if ($result->user_id != $this->user)
{
echo "You don't have access";
exit;
}
else return true;
}
}



Wibi

Wibi
  • profile picture
  • Member

Posted 03 November 2012 - 11:36 AM

Hi victor,
Thanks a lot for your reply, after read more about documentation and found $crud->set_model, actually I already have an idea to extend grocery_CRUD_model for solution.


class my_grocery_CRUD_Model extends grocery_CRUD_Model {
private $whereupdate = null;
private $wheredelete = null;

private function _rebuild_where($primary_key_value,$additional_where){
$primary_key_field = $this->get_primary_key();
if($additional_where != null){
$arr_where=$additional_where;
$arr_where[$primary_key_field]=$primary_key_value;
}else{
$arr_where=array( $primary_key_field => $primary_key_value);
}
return $arr_where;
}

function where_update($key,$val){ // for update
$this->whereupdate[$key]=$val;
}

function where_delete($key,$val){ // for delete
$this->wheredelete[$key]=$val;
}

function where_ext($key,$val){ // for update and delete
$this->whereupdate[$key]=$val;
$this->wheredelete[$key]=$val;
}

function get_edit_values($primary_key_value){
$where=$this->_rebuild_where($primary_key_value,$this->whereupdate);
$this->db->where($where);
$result = $this->db->get($this->table_name)->row();
return $result;
}

function db_update($post_array, $primary_key_value){
$where=$this->_rebuild_where($primary_key_value,$this->whereupdate);
return $this->db->update($this->table_name,$post_array, $where);
}

function db_delete($primary_key_value){
$primary_key_field = $this->get_primary_key();
if($primary_key_field === false)
return false;

$where=$this->_rebuild_where($primary_key_value,$this->whereupdate);
$this->db->limit(1);
$this->db->delete($this->table_name,$where);
if( $this->db->affected_rows() != 1)
return false;
else
return true;
}
}


and in my controller script :


function myfunction(){
.....
$crud = new grocery_CRUD();
$crud->set_model('my_grocery_CRUD_model');
$crud->set_table('my_files');
$crud->where('user_id',$this->session->userdata("loginuserid"));
$crud->basic_model->where_ext('siteid',$this->session->userdata("loginuserid"));
.....
}


But it seems your code is more clean and efective :) . thanks a lot