Answer the question
In order to leave comments, you need to log in
A
A
AR2017-10-08 12:06:02
AR, 2017-10-08 12:06:02
How to protect yourself from post request spoofing?
Good afternoon.
A simple example: there are comments under the post, each user can only delete their own comments. Deletion happens like this: an ajax request is made to the controller action, the request contains the comment id and other data. How it is possible to be protected from substitution of id of the comment in request?
Thanks in advance.
6 answer(s)
@Rsa97
@BuriK666
@0example
@xmoonlight
@amio
@Urichalex
R
Rsa97, 2017-10-08 @Rsa97
All data received from the client must be checked on the server. This includes both checking the correctness of the data itself and checking the user's rights to operate with this data.
A
Andrey Burov, 2017-10-08 @BuriK666
on the server side, check that the comment belongs to the user who sent the request.
A
Alexey Sklyarov, 2017-10-08 @0example
Check on the server, pass the user ID and comment ID, if they are linked in the database, then delete them, otherwise - an error.
X
xmoonlight, 2017-10-08 @xmoonlight
What for?! Just check the permissions of the current user (server session) to delete the comment with the given ID .
A
AR, 2017-10-08 @amio
As a result, the best solution is not to transfer any service data in clear text, but to hash them.
A
Alexander Urich, 2017-10-13 @Urichalex
The user ID is already in Yii::$app->getUser()->getId();
Pass the comment id and get the comment by specifying the user id in the selection, or drag this comment from the database and compare the field responsible for the comment user id with the current user id. If different - throw new ForbiddenHttpException();
Similar questions
Y
S
A
A
A
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question