⚠ In case you've missed it, we have migrated to our new website, with a brand new forum. For more details about the migration you can read our blog post for website migration. This is an archived forum. ⚠

  •     

profile picture

Problem with Edit and View



André Senju

André Senju
  • profile picture
  • Member

Posted 14 May 2015 - 21:03 PM

I have a question about the security and integrity about my data.
 
I've started to develop an aplication and for example, on a controller we process a table and select rows from determined UserID.
It works fine, but when a View or Edit a row:
the URL: http://some.location/index.php/crud/docentes/edit/4 when 4 is the Docente(mytable) ID.
 
So if someone take that url and change 4 to 9 for example, can access de DocenteID =9 row registry.
 
The same occurs to Edit.
 
I already have a control about users, but in this case a Authenticated User can access Another Users' Data too.
 
thanks and sorry for my English, i'm not fluently 
 
Brazilian Regards.

Andre

 

 


Ron van den Bergh

Ron van den Bergh
  • profile picture
  • Member

Posted 18 May 2015 - 11:58 AM

I'dd like a solution for this too ;)


André Senju

André Senju
  • profile picture
  • Member

Posted 19 May 2015 - 04:24 AM

I think if its an AIM to grocery crud, cause i think its for a prototypes and idea validation with a fast development, not to develope final systems...

Amit Shah

Amit Shah
  • profile picture
  • Member

Posted 22 May 2015 - 02:29 AM

i achieved it by following mechanism

        if($crud->getState()=='edit') {
            $info = $crud->getStateInfo();
            $pk = $info->primary_key;
            $row = $this->common_model->getByField('payments', 'id', $pk);   ////my way or querying the database
            //once u got the row - u can check if the logged in user have rights for the same
            //if not.. throw him error ... else allow him
        }

Paul Savostin

Paul Savostin
  • profile picture
  • Member

Posted 02 June 2015 - 12:05 PM

Hi guys! First off all, GC for admin part of app, and if admin can access to another ID - so what?

Second - if you need separate access level, then just check for user access level in controller and that is. Or i smth missing?


Ron van den Bergh

Ron van den Bergh
  • profile picture
  • Member

Posted 26 August 2015 - 11:55 AM

 

i achieved it by following mechanism

        if($crud->getState()=='edit') {
            $info = $crud->getStateInfo();
            $pk = $info->primary_key;
            $row = $this->common_model->getByField('payments', 'id', $pk);   ////my way or querying the database
            //once u got the row - u can check if the logged in user have rights for the same
            //if not.. throw him error ... else allow him
        }

 

Sorry for my late reply...

 

It works, but is not what i am looking for   wouldn't is be easier to encrypt/decrypt the id? (using Id + sessionid or something??)


vicky_spd15

vicky_spd15
  • profile picture
  • Member

Posted 28 August 2015 - 10:05 AM

I'm also searching for the same issue...


Amit Shah

Amit Shah
  • profile picture
  • Member

Posted 28 August 2015 - 11:54 AM

Well.. having it set in session is not possible.. because this is the first encounter for you. If you wish to do the same then what you have to do is .. every edit link click u have set the same in session and then retrieve it in such scenario... not a good option as i forsee, this is much simpler.. Post that you also at some point of time need to remove the id set in session as it might mingle around in another crud function and so on.