Home/ Questions/Q 7068789
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-28T05:22:01+00:00

Disclaimer : I’m new to web development. Scenario : I’ve built an application using

  • 0

Disclaimer: I’m new to web development.

Scenario: I’ve built an application using CodeIgniter that would be best described as an event calendar. There is a shared feature in the application that allows you to share your event calendar with another individual. When logged in, a user can travel to the shared page, and choose from a list of those who have shared their event calendars with them. Currently, when a user selects the name of the person who has shared their event calendar with them, the following URI is generated:

http://example.com/folder/controller/method/id

The id section is the the owner_id in the database of the user who has shared their calendar with the individual.

Issue: It’s easy to go change the id section of the URL to another user’s owner_id in the database. This allows whoever does so to access the event calendar of an individual who has not authorized the sharing of their event calendar.

Question: What are some methods to resolve this security gap? Please let me know if there is anything else that I need to provide, or explain in a clearer fashion. Thanks in advance for your time and energy.

Model:

class Shares_model extends crud_model {

    public function __construct()
    {
        parent::__construct();

        $this->pk = 'id';
        $this->table_name = 'shares';
    }

    public function get($shared_to_user_id)
    {
        $this->db->where('shared_to_id', $shared_to_user_id);
        $ids = parent::get_all();

        $users = array();

        foreach ($ids as $id)
        {
            $users[$id->owner_id]['owner_id'] = $id->owner_id;
            $users[$id->owner_id]['owner_first_name'] = $id->owner_first_name;
            $users[$id->owner_id]['owner_last_name'] = $id->owner_last_name;
        }

        return $users;
    }   
}

View:

<div class="panel">
    <h4>Shared Planners</h4>
        <ol>
            <?php foreach($sharers as $s): ?>
            <li><a href="<?php echo base_url('user/shared/view/'.$s['owner_id']) ?>"><strong><?php echo $s['owner_first_name']." ".$s['owner_last_name'] ?></strong></a></li>
            <?php endforeach; ?>
        </ol>
</div>

Controller:

class Shared extends Common_Auth_Controller {

    private $end_user;

    public function __construct()
    {
        parent::__construct();

        $this->end_user = $this->ion_auth->user()->row();
        $data['end_user'] = $this->end_user;
        $this->load->vars($data);

        $this->load->model('events_model', 'events');
    }

    public function index()
    {
        $title['title'] = 'Shared';

        $this->load->model('shares_model','shares');

        $data['sharers'] = $this->shares->get($this->end_user->id);

        $this->load->view('public/head_view', $title);
        $this->load->view('user/header_view');
        $this->load->view('user/shared_view', $data);
        $this->load->view('user/footer_view');
    }
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Use the below logic 

     <?php
            // Check if user is logged in 
            if (!$this->ion_auth->logged_in())
            {
                //Not logged in , so redirect them to login page
                redirect('account/login', 'refresh');
            }

            else{
            // So the user is logged in 
            // Get the id of the currently logged in user ( The user who is trying to view the page )
            $current_user = $this->ion_auth->get_user();
            $current_userid = $current_user->id;


            // you need an array of users who have been invited to that event by the event creator
            // As you mentioned you are storing the users who have been invited in db, get the ids to an array 

            $invited_users = getIdsOfusers();

            if (in_array($current_userid, $invited_users)) {
                // Yes, The user who is trying to view the page has access
                // you can show him the respective view
            }
            else {
                // No, The user who is trying to view the page Doesn't have  access
                show_error('You dont have access !' ,500 );
            }
    }

    ?>
    • 0