How to protect yourself from spoofing a post request?
A simple example: there are comments under the post, each user can delete only his comments. Deletion happens is an ajax request to the action controller, the request contains the ID of the comment and other data. How can you protect yourself from spoofing id of the comment in the query ?
All data coming from client should be validated on the server. This includes as validation data itself and check user rights for operations with these data.
Violet_Wiso answered on June 14th 19 at 18:25
on the server side check that the comment belongs to the user that sent the request.
alden73 answered on June 14th 19 at 18:27
To check the server, transmit the user ID and the ID of the comment if they are connected to the database, then delete, otherwise error.
Kyleigh_Hills answered on June 14th 19 at 18:29
Why?! Just check out right delete the current user (server session) of the review with the given ID .
Palma_Schamberger answered on June 14th 19 at 18:31
In the end, the best solution is not to peredavat no overhead in the clear, and hashed them.
Jack answered on June 14th 19 at 18:33
The user ID is already in the Yii::$app->getUser()->getId();
Pass in the id of the comment and get the comment, putting the sample id of the user or, drag the comment from the database and compare the field responsible for the user id of the comment id of the current user. If different - throw new ForbiddenHttpException();