Level 104
You can trust nothing from the client side.
2 likes
May 31, 2018
3
Level 5
Check if route id has been modified in HTML form.
I have this resource route.
Route::resource('bookings', 'BookingController');
And when showing individual booking "/bookings/1" I want to add notes to that booking. So, I have this route on my create note form:
<form action="{{ route('create-note', $booking->id) }}" method="POST" class="parsley">
The problem is that you can change the $booking->id on the client-side and add a note to a booking that doesn't belong to you, how do you prevent something like this?
Thanks a lot. :)
Level 5
So I added this DIRTY FIX on my store(), Later on I will look into policies :)
$check = Booking::where([
['id', $id,],
['user_id', auth()->id()]
])->count();
if (!auth()->user()->isAdmin() && $check == 0) {
return back();
}
1 like
Level 1
Add user_id to booking object. And only allow to edit booking where user_id is currently logged user ID. That secures the part where you work with bookings or their notes. But that doesnt secure the part where the same user can add note to a different booking of theirs if they want, but i doubt that's a problem
1 like
Please or to participate in this conversation.