> has a list of available (say) articles he can delete...
>
> If the PK is used, then with a bit of URL manipulation he could
> prob delete a record that he didn't have access to see...
>
> I realise you should do the check before delete, but I was
> thinking that it'd be better to have a UUID with every record
> created... then when someone wants to delete, pass it the ID
> and the UUID and means people can't muck about with the URL.....
>
> Would it be preferable to have the check before every database
> action.... or would the above be sufficient security....
If you only want some people to be able to do some things, then your
application needs to check for authorization before allowing that action.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
voice: (202) 797-5496
fax: (202) 797-5444
[Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
