maxhugen
Posts: 272
|
| Posted: 04/02/2008, 2:43 PM |
|
I've created a Master/Detail page on the basis of the one in the CCS Example Pack.
The application's users are Consultants, who record Clients. After logging in, a Consultant can see the list (Grid) of their own Clients, which has been filtered using their Login user ID (session parameter). In this master/detail page, they can click on a Client in the list to view/edit the Client detail (Record).
The detail is filtered to the selected client using a URL parameter, ie the URL looks like:
http://192.168.0.2/EIP/Client.php?ClientID=1898128231
I see this as a security problem, as it is possible for a user to manually edit the URL, and get access to the Clients of other Consultants.
Is there an alternate way to fetch the Client Record, without using a URL parameter?
_________________
Max
www.gardenloco.com | www.eipdna.com | www.chrisarminson.com |
 |
 |
DonP
|
| Posted: 04/02/2008, 2:50 PM |
|
You could set the value as a session rather than passing them by a URL
but the easiest way to add security is to have the clients log in with
their own user name and password. Then they would be able to only access
records with a matching ClientID which would be set as a session at login.
Don (DonP)
maxhugen wrote:
> I've created a Master/Detail page on the basis of the one in the CCS Example
> Pack.
>
> The application's users are Consultants, who record Clients. After logging in,
> a Consultant can see the list (Grid) of their own Clients, which has been
> filtered using their Login user ID (session parameter). In this master/detail
> page, they can click on a Client in the list to view/edit the Client detail
> (Record).
>
> The detail is filtered to the selected client using a URL parameter, ie the URL
> looks like:
>
> http://192.168.0.2/EIP/Client.php?ClientID=1898128231
>
> I see this as a security problem, as it is possible for a user to manually edit
> the URL, and get access to the Clients of other Consultants.
>
> Is there an alternate way to fetch the Client Record, without using a URL
> parameter?
> _________________
> Max
> (99.9% CCS Newbie)
> ---------------------------------------
> Sent from YesSoftware forum
> http://forums.yessoftware.com/
>
|
|
|
|
maxhugen
Posts: 272
|
| Posted: 04/02/2008, 3:00 PM |
|
I forgot to mention that I tried adding an extra parameter to the detail (Record) to filter by the session login ID, as I did for the list (Grid), but this doesn't work - I don't actually understand why it doesn't though. Even if it did work, it could be an issue when trying to add a new record.
Should I be trying out Ajax instead?
_________________
Max
www.gardenloco.com | www.eipdna.com | www.chrisarminson.com |
|
|
|
DonB
|
| Posted: 04/02/2008, 5:05 PM |
|
Use 'Expression' in the data source and put a function in as the value, e.g.
CCGetUserID().
--
DonB
"DonP" <forum@pc-homepage.com> wrote in message
news:ft12ka$2a8$1@news.codecharge.com...
> You could set the value as a session rather than passing them by a URL but
> the easiest way to add security is to have the clients log in with their
> own user name and password. Then they would be able to only access records
> with a matching ClientID which would be set as a session at login.
>
> Don (DonP)
>
> maxhugen wrote:
>> I've created a Master/Detail page on the basis of the one in the CCS
>> Example
>> Pack.
>>
>> The application's users are Consultants, who record Clients. After
>> logging in,
>> a Consultant can see the list (Grid) of their own Clients, which has
>> been
>> filtered using their Login user ID (session parameter). In this
>> master/detail
>> page, they can click on a Client in the list to view/edit the Client
>> detail
>> (Record).
>>
>> The detail is filtered to the selected client using a URL parameter, ie
>> the URL
>> looks like:
>>
>> http://192.168.0.2/EIP/Client.php?ClientID=1898128231
>>
>> I see this as a security problem, as it is possible for a user to
>> manually edit
>> the URL, and get access to the Clients of other Consultants.
>>
>> Is there an alternate way to fetch the Client Record, without using a URL
>> parameter?
>> _________________
>> Max
>> (99.9% CCS Newbie)
>> ---------------------------------------
>> Sent from YesSoftware forum
>> http://forums.yessoftware.com/
>>
|
|
|
|
maxhugen
Posts: 272
|
| Posted: 04/02/2008, 6:39 PM |
|
Thanks Don, will try that out as part of my learning process.
_________________
Max
www.gardenloco.com | www.eipdna.com | www.chrisarminson.com |
|
|
|
|
