Answer the question
In order to leave comments, you need to log in
How to protect yourself from post request spoofing?
Good afternoon.
A simple example: there are comments under the post, each user can only delete their own comments. Deletion happens like this: an ajax request is made to the controller action, the request contains the comment id and other data. How it is possible to be protected from substitution of id of the comment in request?
Thanks in advance.
Answer the question
In order to leave comments, you need to log in
All data received from the client must be checked on the server. This includes both checking the correctness of the data itself and checking the user's rights to operate with this data.
on the server side, check that the comment belongs to the user who sent the request.
Check on the server, pass the user ID and comment ID, if they are linked in the database, then delete them, otherwise - an error.
What for?! Just check the permissions of the current user (server session) to delete the comment with the given ID .
As a result, the best solution is not to transfer any service data in clear text, but to hash them.
The user ID is already in Yii::$app->getUser()->getId();
Pass the comment id and get the comment by specifying the user id in the selection, or drag this comment from the database and compare the field responsible for the comment user id with the current user id. If different - throw new ForbiddenHttpException();
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question