免责声明:我是网络开发的新手.
场景:我使用CodeIgniter构建了一个应用程序,最好将其描述为事件日历.应用程序中有一个共享功能,允许您与其他人共享您的活动日历.登录后,用户可以前往共享页面,并从与他们共享活动日历的人员列表中进行选择.目前,当用户选择与他们共享活动日历的人员的姓名时,会生成以下URI:
http://example.com/folder/controller/method/id
id部分是与个人共享其日历的用户的数据库中的owner_id.
问题:很容易将URL的id部分更改为数据库中的另一个用户的owner_id.这允许这样做的人访问未授权共享其活动日历的个人的活动日历.
问题:解决此安全漏洞的方法有哪些?如果还有其他我需要提供的内容,或者以更清晰的方式解释,请告诉我.提前感谢您的时间和精力.
模型:
class Shares_model extends crud_model {
public function __construct()
{
parent::__construct();
$this->pk = 'id';
$this->table_name = 'shares';
}
public function get($shared_to_user_id)
{
$this->db->where('shared_to_id',$shared_to_user_id);
$ids = parent::get_all();
$users = array();
foreach ($ids as $id)
{
$users[$id->owner_id]['owner_id'] = $id->owner_id;
$users[$id->owner_id]['owner_first_name'] = $id->owner_first_name;
$users[$id->owner_id]['owner_last_name'] = $id->owner_last_name;
}
return $users;
}
}
视图:
<div class="panel">
<h4>Shared Planners</h4>
<ol>
<?PHP foreach($sharers as $s): ?>
<li><a href="<?PHP echo base_url('user/shared/view/'.$s['owner_id']) ?>"><strong><?PHP echo $s['owner_first_name']." ".$s['owner_last_name'] ?></strong></a></li>
<?PHP endforeach; ?>
</ol>
</div>
控制器:
class Shared extends Common_Auth_Controller {
private $end_user;
public function __construct()
{
parent::__construct();
$this->end_user = $this->ion_auth->user()->row();
$data['end_user'] = $this->end_user;
$this->load->vars($data);
$this->load->model('events_model','events');
}
public function index()
{
$title['title'] = 'Shared';
$this->load->model('shares_model','shares');
$data['sharers'] = $this->shares->get($this->end_user->id);
$this->load->view('public/head_view',$title);
$this->load->view('user/header_view');
$this->load->view('user/shared_view',$data);
$this->load->view('user/footer_view');
}
解决方法
使用以下逻辑
<?PHP // Check if user is logged in if (!$this->ion_auth->logged_in()) { //Not logged in,so redirect them to login page redirect('account/login','refresh'); } else{ // So the user is logged in // Get the id of the currently logged in user ( The user who is trying to view the page ) $current_user = $this->ion_auth->get_user(); $current_userid = $current_user->id; // you need an array of users who have been invited to that event by the event creator // As you mentioned you are storing the users who have been invited in db,get the ids to an array $invited_users = getIdsOfusers(); if (in_array($current_userid,$invited_users)) { // Yes,The user who is trying to view the page has access // you can show him the respective view } else { // No,The user who is trying to view the page Doesn't have access show_error('You dont have access !',500 ); } } ?>
