Let us say I have multiple users. They all have items linked to their account. They can CRUD those items.
What is the best way to prevent users from manipulating items from each other.
At first I thought the antiforgerytoken would help. But it does not because when the users look at their control panel they get a valid token. So they could just open firebug and do some post requests to delete items.
While writing this I think I know what I should do. I guess I should just check on the server if the user is deleting his items.
Did I forget anything which would still make it possible to adjust each other’s items?
The only way to be sure is to check on the server that the current user has permission to “do action”