[web2py] Re: Security advice for updating records

Sun, 10 Aug 2014 19:32:21 -0700 

On the client side who cares?

On Sunday, August 10, 2014 5:38:31 PM UTC-4, desta wrote:
>
> Thank you. But still the user is able to tamper data on client side right?
>
> On Sunday, August 10, 2014 11:00:47 PM UTC+3, Cliff Kachinske wrote:
>>
>> Each user has a unique group with only one member: him.
>>
>> So in your controller, something like
>>
>>
>> def my_great_function():
>>
>>     # Not sure if Web2py session supports get, session.get(auth.user.id, 
>> 'nobody') would be more 
>>     # concise than the next 4 lines of code.
>>     if 'auth' in session:  # defensive code in case session has timed out
>>         user_id = auth.user.id
>>     else:
>>         return  # Session has timed out, most likely. Maybe you want to 
>> redirect to login screen
>>         # user_id = 'nobody' Alternative if you don't want to redirect
>>     group_name = 'user_{}'.format(user_id)
>>     if not auth.has_membership(group_name):
>>         # whatever you decide to do with failed attempt
>>         pass
>>     #  Your great code here
>>     pass
>>
>>
>>
>>
>> On Friday, August 8, 2014 6:03:34 PM UTC-4, desta wrote:
>>>
>>> Let's assume a table:
>>> db.define_table('SecretData',
>>>                 Field('data','string'),
>>>                 Field('file_owner', 'reference auth_user', default=auth.
>>> user_id)
>>> The table is already populated.
>>>
>>> On the *View* side, the user is able to send an ajax request which 
>>> contains the *id*, and some data in order to *update* a record he owns.
>>>
>>> In this scenario, isn't possible for a user to tamper the *id* variable 
>>> (i.e. through javascript) and mess up with data from other users?
>>> How can I protect against this and enforce the update of the right 
>>> record?
>>>
>>> Thank you.
>>>
>>

-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

Reply via email to