aGO
Reputation: 1363
How to prevent user to access other users' data?
PROBLEM
- User authenticated into the application
- Simple database schema: User ---> Document ---> Item
- API to access to Document Items
If the logged user knows the id of items that belong to some other user, he can access to it. I would like to prevent this behavior.
SOLUTION
The first solution I found is to add a userid field to every records in every table to check at every query if the record belong to the logged user.
This is a good solution? Do you know some better design pattern to prevent the user to access other users' data?
Thanks
Upvotes: 1
Views: 1058
Answers (1)
SQB
Reputation: 4078
- If the documents belong to a user, adjust your queries so that only items that belong to the user's documents are retrieved. No need to add userIDs to the items themselves.
- If you need to expose IDs to the users, make those IDs GUIDs, instead of consecutive numbers. While not a perfect solution, it makes it much harder to guess the IDs of other users' items,
- If you're using Oracle, there's VPD, Virtual Private Database. You can use that to restrict access for users.
Upvotes: 1
Related Questions
- SQL Server how to control access to data between clients on the same database
- multiple users Database design
- Access rights database design
- how to create a Database design for access control and tracking?
- User Privacy and Data Security in Databases
- data model design pattern that holds data changes until authorized by another user
- Structure for managing user access on a site
- Database Design - Users and their privacy
- users and permissions
- How to protect a database?