Jump to content

Is hiding Reply Button enough?

doubledee

By doubledee
in PHP Coding Help

 Share

Recommended Posts

doubledee Advanced Member

doubledee

Posted
Posted

I have a business rule that says...

Users may only "reply" to a Private Message that is "incoming".

 

So, in other words, you cannot reply to a message that you sent someone else (i.e. "Sent"), and you cannot reply to a message you deleted (i.e. "Trash").

 

Without going into my entire code-base here, I am still not entirely sure how to do this on the back-end, and thus the purpose of this thread...

 

So, is it sufficient to just hide the "Reply" button on all "Sent" and "Trash" Private Messages, so that people can't to to reply to them?

 

(I suppose anything can be hacked on the back-end, but I'd like to think this is one time where this is probably sufficiently secure, but you guys tell me?!)

 

Thanks,

 

 

Debbie

 

Link to comment
Share on other sites
Psycho Prolific Member

Psycho

Posted
Posted
I suppose anything can be hacked on the back-end, but I'd like to think this is one time where this is probably sufficiently secure

 

That comment is diametrically opposed. That solution is probably "sufficient", but is not fool-proof. Whether it is secure or not is a different thing entirely. If someone replies to a message you would rather they did not is not a security issue. But, if you want to prevent someone from replying to a message they should not then you *should* prevent it on the receiving page. Simply check if the message that is being replied to meets the requisite conditions before accepting it. Preventing users from doing something by hiding controls is typically a poor implementation. If you are not checking if the message the person is replying to is not a deleted or sent message then what else are you not checking? Are you checking if the message is even one that the user is involved in? If so, then also checking to see that it is not deleted or a sent message should only require a slight modification in the query used to perform that check.

Link to comment
Share on other sites
doubledee Advanced Member

doubledee

Posted
  • Author
Posted

I suppose anything can be hacked on the back-end, but I'd like to think this is one time where this is probably sufficiently secure

 

That comment is diametrically opposed. That solution is probably "sufficient", but is not fool-proof. Whether it is secure or not is a different thing entirely. If someone replies to a message you would rather they did not is not a security issue. But, if you want to prevent someone from replying to a message they should not then you *should* prevent it on the receiving page. Simply check if the message that is being replied to meets the requisite conditions before accepting it. Preventing users from doing something by hiding controls is typically a poor implementation. If you are not checking if the message the person is replying to is not a deleted or sent message then what else are you not checking? Are you checking if the message is even one that the user is involved in? If so, then also checking to see that it is not deleted or a sent message should only require a slight modification in the query used to perform that check.

 

It is after Midnight and I have been coding since this morning, so I'm sort of in a haze at this point...

 

However, to address what you are saying above - leaving out lots of details - it goes like this...

 

I am finding that the architecture I chose is maybe not so great in how I manage the "state" of a Private Message.

 

If I do things over later, I will likely have a field called "pm_state".

 

What I am finding very hard to manage is when the Sender is also the Receiver.  (At the same time, I am probably making life more difficult than needed because only losers spend all day PM'ing themselves in the real world?!  *LOL*)

 

For instance, I discover with my table structure, there is no way to know if a view of a PM is "Sent" or "Received" because once you do a join those worlds become one.  (Not sure if diving deep into the rabbit hole makes sense for this thread?!)  :shrug:

 

I obviously always try to code things the best way that I can, but I am realizing building my own PM system is a hell of a lot harder than you'd think.

 

And since I am wrapping it up tonight, I'm kinda crossing over into my "Good enough for Version #1" mode...

 

 

Debbie

 

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.