FuelPHP Forums

Muts

Hi, I was about to start my new project but came across several issues.
Let's say I'm building a messaging feature (~a tiny mail system).
How would you design your URI? How about preventing another user from viewing others messages? Regards

Huzzi

Say you have a messages table like this: id
user_id
message
blah
blahh In view controller, you can check if the user_id matches with the logged on user_id in the session.

Muts

So how about the URI?
You propably would have ROOT/messages/... Should I set message/user_ID/message_ID? Isn't this a security flaw?

Huzzi

peter vercauteren wrote on Wednesday 18th of May 2011:

So how about the URI?
You propably would have ROOT/messages/... Should I set message/user_ID/message_ID? Isn't this a security flaw?

Don't pass user_id in the url, how are you authenticating the user? if you use simpleauth you can do something like that:

public function action_view($message_id)

  $user = Auth::instance()->get_user_id();
  $user_id = $user[1];
  
  //Get the message from the database.
  $query = Model_Message::find()->where('message_id', $message_id);
  $message = $query->get_one();
  
  //Check permission
  if($message->user_id==$user_id)&#123;
  // show the message.
  }else&#123;
  // don't have permission so redirect them to whereever.
  \\Response.Redirect('/');
  }

Muts

thanks, that helps me alot

Huzzi

np, make sure you check permission when deleting messages.

FuelPHP Forums

Ask your question about FuelPHP in the appropriate forum, or help others by answering their questions.

Howdy, Stranger!

Categories

In this Discussion