Level 75
That's where authentication and authorization comes into play.
Jun 24, 2018
10
Level 1
Passing Parameters to Controllers
Hey all. I'm definitely over-looking something simple here, but it's making me bang my head against the wall!
Let's say I have a forum topic and I'm replying to the topic. My post would be submitted to route('post.store'); from the form I'm replying with. Obviously I want to create a relationship where this Post belongs to the Topic I'm replying to, and to do this I could have a hidden field containing the ID of the Topic I'm on.
My caution is that a user could easily, if they were tech savvy enough, edit the ID in this hidden field to reply to a totally different Topic on the board. Not the end of the world, but definitely not what I want to happen. What other ways could I sent this ID over to the post.store method, that ensures the end user cannot modify the value?
Thanks!
Level 67
Yes, authorization: https://laravel.com/docs/5.6/authorization
Level 1
Authenticated users are authorized to reply to any topic they like, I'm not sure I understand where you're coming from?
For example if I'm an authenticated user and I see two topics, both of which I'm authorized to reply to, and I go into one to create a reply, but change the ID here to the other topic, the reply will instead be associated with that one as if I've just replied to it on it's own page. I hope that makes sense...
Level 67
but change the ID here to the other topic, the reply will instead be associated with that one as if I've just replied to it on it's own page.
Not if you write a policy for it it won't. You could write the policy to check whether the user is authorized to reply to that topic. It won't matter if they change the id bc the policy would check whether they are authorized to change THAT id.
How are you defining who is allowed to do what?
Level 1
Hi there - see my answer at the bottom of another question of mine, where I've actually just done exactly what I'm talking about.
https://laracasts.com/discuss/channels/laravel/view-creators-what-is-their-purpose
I want to try and avoid this happening. While it's a pet peeve and not something users are likely to do, it can still be done.
Level 67
Have you actually read the docs I linked to? It's meant to specifically prevent what you keep asking about.
Level 75
Try to edit @Cronix answer if successful write I did it.
Level 1
Sorry, but I'm not talking about nefarious or malicious actions here. I'm not talking about me being able to edit other user's answers, or post answers to topics I'm not authorized to view. It's much more innocent than that...
Inspect the form around this reply box. The action is: "/discuss/88927/replies"
Then inspect the form around the reply box here: https://laracasts.com/discuss/channels/laravel/view-creators-what-is-their-purpose
The action is: "/discuss/67435/replies"
Now if I modify the action of this form to the action of the form on the page I've linked to, and post the answer, it will submit to that page. Not this one.
I've read the Authorization docs but I'm not really sure anything discussed here solves this, not unless I forbid users from replying to topics unless they're viewing the topic, but that seems a bit far fetched.
Level 75
And you can just go to that page and post and submit an answer because you are logged in. But you cannot overwrite another user's answer.
Take note that you cannot do what you stated unless you were properly logged in.
Level 1
Thanks, I am aware of this, it's still something I'd rather avoid though. I'm looking for alternative ways to get the ID of the post I'm replying to, that's all. I don't want it to be somewhere the user can modify it. There's already appropriate authorization in place to ensure the user can do the action, it's just getting around this "problem," albeit a bit of a niche concern.
Perhaps storing it in session data is going to be the easiest way.
Please or to participate in this conversation.