Adamhumbug Posted February 19 Share Posted February 19 Hi All, I have a page that lists users - clicking a user will take you to a page where you edit the user. I know that i can use get to pass the users ID from page A to page B but i am trying to avoid users being able to hijack the URL and navigate around like that. I am trying to make sure that i prevent people seing what they shouldnt with permissions and sessions but i wanted to enquire if there was a better way to get around rather than get. I have read that sessions could be an option but how would i set the session on a button click when i would need JS for the button click and PHP to set the session. Would this be an AJAX job calling a php function. Any suggestions on the best way would be appreciated. Quote Link to comment Share on other sites More sharing options...
Solution mac_gyver Posted February 20 Solution Share Posted February 20 each page must enforce what the current user can do and see on that page, for a non-logged in user, for a logged in user, and for a logged in administrator. if the current user is not logged in, they can only do and see what you have coded on that page for a non-logged in user to do and see. if they are a logged in user and the user ID in the URL is the same as the currently logged in user ID, they can perform actions like editing their own data and seeing all of their own data. if the currently logged in user is a administrator, he/she would be able to pick any user and be able to perform actions like editing that user's normal data and seeing all that user's normal data, and be able to edit/see additional data, such as permissions, edit history, site activity, ip history, ... if you aren't already doing so, your login code should store the user id (autoincrement primary index) in a session variable to indicate who the currently logged in user is. if there is a logged in user, you would query on each page request to get any other user data, such as - username, email, permissions, ... Quote Link to comment Share on other sites More sharing options...
Adamhumbug Posted February 20 Author Share Posted February 20 9 hours ago, mac_gyver said: each page must enforce what the current user can do and see on that page, for a non-logged in user, for a logged in user, and for a logged in administrator. if the current user is not logged in, they can only do and see what you have coded on that page for a non-logged in user to do and see. if they are a logged in user and the user ID in the URL is the same as the currently logged in user ID, they can perform actions like editing their own data and seeing all of their own data. if the currently logged in user is a administrator, he/she would be able to pick any user and be able to perform actions like editing that user's normal data and seeing all that user's normal data, and be able to edit/see additional data, such as permissions, edit history, site activity, ip history, ... if you aren't already doing so, your login code should store the user id (autoincrement primary index) in a session variable to indicate who the currently logged in user is. if there is a logged in user, you would query on each page request to get any other user data, such as - username, email, permissions, ... This is what i thought and hoped the answer would be and is the approach that i am taking. Thanks for confirming that for me. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.