1

I'm using a routing system. You can use the url to do some quick updates etc, without having to create a page for it. I believe this to be very effective. Though, how can I prevent a user misusing it?

This line updates a users account:

http://localhost:8080/Basic/Route/User/update/permissions>1/29

Class: User
Method: update
Set permissions => 1
Where id is 29

It works very nice, but any user could be able to type this in his URL if he knew in what way the system works.

Are there any ways to prevent misuses like this one?

Thanks!

2 Answers2

1

You should implement User Authentication, then check if user is logged in and if he has required permissions. I don't see any other way to do it simpler.

Wolen
  • 874
  • 6
  • 15
  • So before running the router class method etc, first check whether someone is logged in? –  Feb 25 '17 at 16:44
  • After running router class, before execution route's class. Just check if user is logged in and if he has enough permissions to edit user. – Wolen Feb 25 '17 at 16:47
  • Note that authentication alone will not prevent various CSRF exploits, especially if plain GET requests are used. – Shira Feb 27 '17 at 22:06
1

Add a CSRF token and it might be fine. I would also make it a POST request instead of GET if it isn't already.

If you don't secure your URLs/forms this way users might be tricked into performing actions they didn't intend to (e.g. by visiting a link from another website or an email).

Shira
  • 6,392
  • 2
  • 25
  • 27