0

im working on a project at the moment that allows users to register and log into there own user area and add/edit/delete note snippets.

Im currently working on the edit class and im wondering how can i make it so that other users cant visit the same url and edit someones note? (all notes are stored in the same table in the database)

schema = id, title, description, snippet, user_id

for example if user1 wants to edit his note at http://domain.com/edit/1 (which is bound to his user_id in the database) how can i stop user2 from visiting that same url and editing his note?

here is the controller

<?php if (!defined('BASEPATH')) exit('No direct script access allowed');

class Mysnippets extends CI_Controller {

function __construct()
{
    parent::__construct();

    if (!$this->tank_auth->is_logged_in()) {
        redirect('/login/');
    } 

    $this->load->model('dashboard_model');

    $this->data['user_id']  = $this->tank_auth->get_user_id();
    $this->data['username']= $this->tank_auth->get_username();  
}

public function index()
{
    $this->data['private_snippets']  = $this->dashboard_model->private_snippets();
    $this->load->view('dashboard/my_snippets', $this->data);    
}

function edit_snippet($snippet_id) {

    $snippet = $this->dashboard_model->get_snippet($snippet_id);

    //validate form input
    $this->form_validation->set_rules('title', 'Title', 'required');

    if (isset($_POST) && !empty($_POST))
    {       
        $data = array(
            'title' => $this->input->post('title'),
        );

        if ($this->form_validation->run() === true)
        {
            $this->dashboard_model->update_snippet($snippet_id, $data);
            $this->session->set_flashdata('message', "<p>Product updated successfully.</p>");                
            redirect(base_url().'mysnippets/edit_snippet/'.$snippet_id);
        }           
    }

    $this->data['message'] = (validation_errors() ? validation_errors() : $this->session->flashdata('message'));

    $this->data['snippet'] = $snippet;

    //display the edit product form
    $this->data['title'] = array(
        'name'      => 'title',
        'type'      => 'text',
        'value'     => $this->form_validation->set_value('title', $snippet['title']),
    );

    $this->load->view('dashboard/edit_snippet', $this->data);
}
}

heres the model:

<?php if (!defined('BASEPATH')) exit('No direct script access allowed');

class Dashboard_model extends CI_Model {

public function public_snippets()
{
    $this->db->select('id, title, description, author, date_submitted');
    $query = $this->db->get_where('snippets', array('state' => 'public'));
    return $query->result_array();
}

public function private_snippets()
{
    $this->db->select('id, title, description, date_submitted');
    $query = $this->db->get_where('snippets', array('user_id' => $this->tank_auth->get_user_id()));
    return $query->result_array();
}

public function add_snippet($data)
{
    $this->db->insert('snippets', $data);
    $id = $this->db->insert_id();
    return (isset($id)) ? $id : FALSE;
}

public function get_snippet($snippet_id) {
    $this->db->select('id, title');
    $this->db->where('id', $snippet_id);
    $query = $this->db->get('snippets');

    return $query->row_array();
}

public function update_snippet($snippet_id, $data)
{
    $this->db->where('id', $snippet_id);
    $this->db->update('snippets', $data);
}




}

heres the view:

    <?php echo $message;?>

    <?php $snippet_id = $snippet['id']; ?>
    <?php echo form_open("mysnippets/edit_snippet/$snippet_id");?>


    <?php echo form_input($title); ?>
    <?php echo form_submit('submit', 'Submit');?>

    <?php echo form_close(); ?>

is there a way i can restrict it so if another user tried to go to that url i can redirect them or show a error message

jackthedev
  • 417
  • 8
  • 21

3 Answers3

0

Something like this might work. 

public function edit_snippet(snippet_id) 
{
    $snippet = $this->dashboard_model->get_snippet($snippet_id); 

    // this depends on what you are using for sessions; 
    // recommend you use db sessions
    if($snippet->user_id != $this->session->userdata('user_id');)
    {
        redirect('/mysnippets');
    } 
    else 
    {
        //allow editing
stormdrain
  • 7,915
  • 4
  • 37
  • 76
  • IM using tank auth for authentication and it handles sessions through storing them in a database, would this work with that? i couldnt get the above working. Thanks for the swift response. Ive updated my post with the full MVC of the function – jackthedev Apr 23 '13 at 08:44
  • Yup, that'll work fine. But in your get_snippet method in your model, you need to also query for user_id. Right now, you're only selecting id and title. Try it with $this->db->select('id, title, user_id'); – stormdrain Apr 23 '13 at 11:27
  • still no luck just redirects back to /mysnippets/ even if the user_id is equal to. – jackthedev Apr 23 '13 at 12:03
  • Well that's not quite possible; they're obviously not equal. Try `print_f($snippet)` to make sure the value is there. Also `echo $this->session->userdata('user_id');` to make sure it's set in the session. Make sure the user_id value exists in the db; make sure you set it when you add a snippet. – stormdrain Apr 23 '13 at 14:43
0

You could check whether the id you are editing is the same as the session id provided when you have logged in.

it could be something like :

if ($snippet_id !=  $this->session->userdata('login_id'))
{
   //redirect to another page
}
pat
  • 1
0

I would just add a line to the following function in the model:

public function get_snippet($snippet_id) {
    $this->db->select('id, title');
    $this->db->where('id', $snippet_id);
    //users can access only their own snippets 
    $this->db->where('user_id', $this->session->userdata('user_id'));
    $query = $this->db->get('snippets');
    return $query->row_array();
}

That prevents them from accessing the information, but I'd do something to prevent them from even being able to try in the first place, i.e. not giving them the choice.

Expedito
  • 7,771
  • 5
  • 30
  • 43