Reputation:
How to prevent someone misusing routing systems?
I'm using a routing system. You can use the url to do some quick updates etc, without having to create a page for it. I believe this to be very effective. Though, how can I prevent a user misusing it?
This line updates a users account:
http://localhost:8080/Basic/Route/User/update/permissions>1/29
Class: User
Method: update
Set permissions => 1
Where id is 29
It works very nice, but any user could be able to type this in his URL if he knew in what way the system works.
Are there any ways to prevent misuses like this one?
Thanks!
Upvotes: 1
Views: 41
Answers (2)
Reputation: 6570
Add a CSRF token and it might be fine. I would also make it a POST request instead of GET if it isn't already.
If you don't secure your URLs/forms this way users might be tricked into performing actions they didn't intend to (e.g. by visiting a link from another website or an email).
Upvotes: 1
Reputation: 904
You should implement User Authentication, then check if user is logged in and if he has required permissions. I don't see any other way to do it simpler.
Upvotes: 1
Related Questions
- How can I handle redirection if someone tries a unexisting route on a Symfony 5 project
- What is the easiest way to protect api routing in laravel5.4
- Prevent route access
- Laravel 5 route protection
- Route protection - Laravel
- Protect routes in Laravel 5.1
- PHP OOP routing
- How to implement access control on functions in PHP
- Laravel 4: protecting routes provided by a controller
- improving a routing class*