I have a form in Extjs that is submitting data via POST to my controller. The user is authenticated in the constructor of my controller when the data is submitted. But how do i make sure the user is submiting data for something he is allowed to change. Example...
Tim is the user. Tim is going to edit his 'group description'. In the form i will have his groupid to tell my function what 'group' to edit. What if Tim decided to play a prank on his friend Robbert and change the groupid to Robberts group id and edit the description.
My Question Will i have to select the 'groupid' and its permissions along with the users authenticated data and compare to validate that Tim is the owner of the group? Do i need to create some type of POST secrect md5 value? Is their an easier way
What if someone POSTs data from some other server to my server?
Im glad i have the internet to ask stupid questions :) Thanks
Will i have to select the 'groupid' and its permissions along with the users authenticated data and compare to validate that Tim is the owner of the group?
Yes, that would be the normal way to do an authorisation check. It is not especially onerous.
Do i need to create some type of POST secrect md5 value?
Not for authorisation's sake. When you need to issue a token that confers authorisation at a later time you would generally use a timestamped HMAC of some sort. But there's no need for that here, just check that the user is authorised to perform the action they are requesting, at the time they request it.
You probably do need to create some type of POSTed secret for the purposes of protection against cross-site request forgery, but that would be a different question. It would not normally interact with the question of authorisation.