doubledee Posted May 29, 2012 Share Posted May 29, 2012 I have a business rule that says... Users may only "reply" to a Private Message that is "incoming". So, in other words, you cannot reply to a message that you sent someone else (i.e. "Sent"), and you cannot reply to a message you deleted (i.e. "Trash"). Without going into my entire code-base here, I am still not entirely sure how to do this on the back-end, and thus the purpose of this thread... So, is it sufficient to just hide the "Reply" button on all "Sent" and "Trash" Private Messages, so that people can't to to reply to them? (I suppose anything can be hacked on the back-end, but I'd like to think this is one time where this is probably sufficiently secure, but you guys tell me?!) Thanks, Debbie Quote Link to comment Share on other sites More sharing options...
Psycho Posted May 29, 2012 Share Posted May 29, 2012 I suppose anything can be hacked on the back-end, but I'd like to think this is one time where this is probably sufficiently secure That comment is diametrically opposed. That solution is probably "sufficient", but is not fool-proof. Whether it is secure or not is a different thing entirely. If someone replies to a message you would rather they did not is not a security issue. But, if you want to prevent someone from replying to a message they should not then you *should* prevent it on the receiving page. Simply check if the message that is being replied to meets the requisite conditions before accepting it. Preventing users from doing something by hiding controls is typically a poor implementation. If you are not checking if the message the person is replying to is not a deleted or sent message then what else are you not checking? Are you checking if the message is even one that the user is involved in? If so, then also checking to see that it is not deleted or a sent message should only require a slight modification in the query used to perform that check. Quote Link to comment Share on other sites More sharing options...
doubledee Posted May 29, 2012 Author Share Posted May 29, 2012 I suppose anything can be hacked on the back-end, but I'd like to think this is one time where this is probably sufficiently secure That comment is diametrically opposed. That solution is probably "sufficient", but is not fool-proof. Whether it is secure or not is a different thing entirely. If someone replies to a message you would rather they did not is not a security issue. But, if you want to prevent someone from replying to a message they should not then you *should* prevent it on the receiving page. Simply check if the message that is being replied to meets the requisite conditions before accepting it. Preventing users from doing something by hiding controls is typically a poor implementation. If you are not checking if the message the person is replying to is not a deleted or sent message then what else are you not checking? Are you checking if the message is even one that the user is involved in? If so, then also checking to see that it is not deleted or a sent message should only require a slight modification in the query used to perform that check. It is after Midnight and I have been coding since this morning, so I'm sort of in a haze at this point... However, to address what you are saying above - leaving out lots of details - it goes like this... I am finding that the architecture I chose is maybe not so great in how I manage the "state" of a Private Message. If I do things over later, I will likely have a field called "pm_state". What I am finding very hard to manage is when the Sender is also the Receiver. (At the same time, I am probably making life more difficult than needed because only losers spend all day PM'ing themselves in the real world?! *LOL*) For instance, I discover with my table structure, there is no way to know if a view of a PM is "Sent" or "Received" because once you do a join those worlds become one. (Not sure if diving deep into the rabbit hole makes sense for this thread?!) I obviously always try to code things the best way that I can, but I am realizing building my own PM system is a hell of a lot harder than you'd think. And since I am wrapping it up tonight, I'm kinda crossing over into my "Good enough for Version #1" mode... Debbie Quote Link to comment Share on other sites More sharing options...
doubledee Posted May 29, 2012 Author Share Posted May 29, 2012 There! It took an extra hour and like 100 lines of code, but I wrote some new code to prevent someone from replying to Sent or Deleted messages assuming there is a "Reply" button always there. Debbie Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.