Level 20
Using policies : https://laravel.com/docs/5.6/authorization#writing-policies
1 like
Jun 12, 2018
3
Level 2
Prevent users from accessing high-sensitive data by simply changing query string
I am dealing with this app that provides the teacher the ability to manage students within a class project. I was thinking making this public, so that teachers all around the world can use it.
One of my main concerns is related to separation of these teachers. For instance, if I create a sign-in/sign-up page, how would I separate the teachers along with their students in terms of privacy?
An example, lets say we have this query string platform.com?teacher=John+Doe/students that simply shows all the students that have John Doe as teacher.
Now the problem here is that if someone simply changes the query string from platform.com?teacher=John+Doe/studentsto platform.com?teacher=Peter+Berkley/students he will get students enrolled in Peter Berkley's class, which is privat and not allowed.
How can prevent this from happening?
Level 2
@Vilfago, thanks. But I have that setup. As mentioned my concern is more about securing teachers (admin) from accessing private data by simply changing query string.
To put it in perspective, only one teacher is responsible for 10 students. We cannot have two teachers responsible for the same students.
Level 50
You'll need to use policies or even add a midldeware. As you appear to have already associated users with teachers.
1 like
Please or to participate in this conversation.