close ad
Help us test the new Databridge BETA with MySQLi support
open ad
View Menu

Technical Support Forums

Free, outstanding support from WebAssist and your colleagues

rating

Restrict page access to user logged in

Thread began 10/30/2012 11:12 am by iainmacdonald331081 | Last modified 10/30/2012 7:32 pm by iainmacdonald331081 | 761 views | 8 replies |

iainmacdonald331081

Restrict page access to user logged in

I think I asked a similar question a while ago, but it doesn't seem to be working here.

Basically users can log in, and create tour itineraries associated with them.

So when they log in, they can view the itineraries they have added.

That's all working, but itineraries other than their own can be viewed just by changing the ID number at the end of the URL.

I've added:

AND UserID = ParamUserID

to the recordset, and added the variable:

ParamUserID
Integer
-1
$_SESSION['SecurityAssist_UserID']

Which I thought was the solution, but its not working here.

I've attached a copy of the page.

Thanks again.

Attached Files
itineraryDetails.zip
Sign in to reply to this post

Ray BorduinWebAssist

It looks like you are displaying rows from the recordset "ItineraryProfiles" and that recordset doesn't have a parameter filtering with the Session variable. I think you just need to add it to that recordset as well.

Sign in to reply to this post

iainmacdonald331081

Thanks Ray - I've added that, but its still letting me view other users itineraries by changing the URL. I've attached a revised copy of the page.

Attached Files
itineraryDetails2.zip
Sign in to reply to this post

Ray BorduinWebAssist

This looks like it should work. Do you have a url where I can see the problem? Are you sure you uploaded the files after adding the session variable parameter? Are you switching to another id owned by that user or one they shouldn't be able to access?

Sign in to reply to this post

iainmacdonald331081

I think I've uploaded everything I need to - the page in question, and all the webassist folders.

For testing purposes, try this URL:

trade_login/

Login with:

johngordon
talisker

Click on View Your Itineraries.

You should see Itineraries with the IDs : 127, 125, 126, 122, 124, 129

Click on an itinerary name to go to the details page.

Try changing the ID at the end of the URL to 118.

I notice now that the Itinerary Profile section isn't displaying.

What should happen here anyway? Should the user be presented with the log in page?

Sign in to reply to this post

Ray BorduinWebAssist

Well technically this would only happen if the user was trying to hack into someone else's data by changing the url, so I'm not sure how important it is to have a smooth user experience for this case.

You could add logic to redirect to another page (the login page makes sense) when the recordset is empty.

Sign in to reply to this post

iainmacdonald331081

In terms of security it seems quite important that one user is not able to view and edit another users's data simply by changing an ID in the URL.

I don't follow the bit about the empty recordset, as in this scenario the recordset wouldn't be empty.

Sign in to reply to this post

Ray BorduinWebAssist

Yes, of course... sorry I misinterpreted your last post and thought you had it working now.

I'm going to open a support ticket so we can schedule a screen sharing session to determine what exactly is going wrong since it looks like it should be working to me, but I can see that it isn't.

Sign in to reply to this post

iainmacdonald331081

Thanks Ray, and no worries about the ambiguity.

Sign in to reply to this post

Build websites with a little help from your friends

Your friends over here at WebAssist! These Dreamweaver extensions will assist you in building unlimited, custom websites.

Build websites from already-built web applications

These out-of-the-box solutions provide you proven, tested applications that can be up and running now.  Build a store, a gallery, or a web-based email solution.

Want your website pre-built and hosted?

Close Windowclose

Rate your experience or provide feedback on this page

Account or customer service questions?
Please user our contact form.

Need technical support?
Please visit support to ask a question

Content

rating

Layout

rating

Ease of use

rating

security code refresh image

We do not respond to comments submitted from this page directly, but we do read and analyze any feedback and will use it to help make your experience better in the future.

Close Windowclose

We were unable to retrieve the attached file

Close Windowclose

Attach and remove files

add attachmentAdd attachment
Close Windowclose

Enter the URL you would like to link to in your post

Close Windowclose

This is how you use right click RTF editing

Enable right click RTF editing option allows you to add html markup into your tutorial such as images, bulleted lists, files and more...

-- click to close --

Uploading file...