⚠ In case you've missed it, we have migrated to our new website, with a brand new forum. For more details about the migration you can read our blog post for website migration. This is an archived forum. ⚠

  •     

profile picture

Record edit not restricted by where



Hitchhiker

Hitchhiker
  • profile picture
  • Member

Posted 09 October 2014 - 17:46 PM

I have a table with restricted viewing so that a user can only see the one record that they own.  I'm doing this with a simple where statement in the controller

$crud->where('uid', 1);

In the main table as expected you can only see the user who is logged in  (user 1)

 

/view/1 shows user 1's data which matches the where limitation

/view/2 shows users 1 data and not user 2's which I can live with.

/edit/1 allows user 1 to edit their own record.

 

The problem comes with

 

/edit/2 when logged in as user 1.  The edit form displays the correct information for user 2 and allows user 1 to  read and change user 2's information.  My expectation was that the where clause would be followed for all states to limit the data access.

 

Any thoughts or suggestions?


Amit Shah

Amit Shah
  • profile picture
  • Member

Posted 10 October 2014 - 01:38 AM

Hi there

 

Sorry to say but GC wont understand the record being fetched in is in within the where clause or not.

That level of security u have to provide in within your code...