I am sending back a number of selectable images (people's photographs) from Java via JSON to AJAX and displayed in HTML. With each image I send a parameter that corresponds to the person's ID. Only images of people they have a right to see are displayed. When the image is selected this ID parameter is used to get the selected person's details and display them on a new HTML page.
The big issue is that this parameter can be easily changed by the user to display the details of someone else, who they may not have the right to access. I can get around this by checking that the image ID is in the group the person has a right to access. However, is there a way to store the ID in such a way that it can not be changed and is still attached to the image so when the image is selected I can access the correct ID and display the details knowing the ID has not been changed by the user?
The java code is:
String json = null;
int i = 0;
int col = 1;
for (final YouthMember youthMember : youthMembers) {
String image = youthMember.getPhotograph();
String name = youthMember.getFirstname() + " " + youthMember.getSurname();
if (i == 0){
json = "<div class='row'><div class='col-md-1'><a href='CubAwardOverview.html?id=" + youthMember.getId() +
"'><img src=" +
image + " height='60' width='60' style='border-style: none' alt='person image' /></a>" +
"<div class='caption'> <p>" + name + "</p> </div></div>";
i++; col++;
}else{
if (col > 12){
json = json + "</div><div class='row'>";
col = 1;
}
json = json + "<div class='col-md-1'><a href='CubAwardOverview.html?id=" + youthMember.getId() +
"'><img src=" +
image + " height='60' width='60' style='border-style: none' alt='person image' /></a>" +
"<div class='caption'> <p>" + name + "</p> </div></div>";
col++;
}
}
if (col > 0){
json = json + "</div>";
}
response.setContentType("image/jpeg");
response.setCharacterEncoding("UTF-8");
response.getWriter().write(json);
