I'm creating a website in which users can create some profiles.
All profiles must be open for viewing only to users that the creator has chosen. The others won't be seeing them.
Using angular, you can easily create pages using routes, so of each new page you will have something like:
www.example.com/profiles/profile/1
www.example.com/profiles/profile/2
www.example.com/profiles/profile/3
etc.
But, say, you own profile 1,2,3 you can easily view profile/4, profile/5 etc...
How can you implement a system that prohibits viewing, or allows to see less data than the access-granded users?
Thank you.
As told, the answer should be server side. authentications should always be server side..
In your case, you need to query the database only once like you have done so far, actually the correct term will be just sending a http request to your api (as the http requests is doing the db queries). that http request should start by checking what kind of permissions you got and return the appropriate data (limited list of users, a specific user or an error that you don't have access to that specific content).
I hope it makes sense to you.
If using a database you can add a column AccessRights
0 = Basic
1 = Profile 1
2 = profile 1/2
etc
Different integers of AccessRights will let you access different things.
and to stop people with access rights 1 from accessing accessrights 3 material
if ($Accessrights < 3)
{
die("You Cannot View This");
}
it will be up to you to assign a variable for $Accessrights or something.
Hopefully this is something your looking for
So do I have to query the database on each page a user visits? Wouldn't that be too resourceful?
The access system that I want to create is something in the same vein as facebook.
You can see your pages and your friends pages, but you cannot see the private pages.
You can edit your profile, but not othe peoples profile.
Is this the right way to go?
You could check if the user is viewing his own record or if he is allowed to view any record
$iUserType = USER_TYPE_ADMIN; // constant
$iUserId = 5; // this and user type can be stored in session after login
$iViewProfileId = 5; // this should come from the request parameters
if (($iViewProfileId != $iUserId) AND (USER_TYPE_ADMIN != $iUserType)) {
// error, user is not permitted to view the record
}
Related
I was wondering if there was a way to create a page on my website that would allow for a user to view the pages in the website that they have been to. I have searched around to see if I could find a hint to where I could start from, but I came up empty. I have already coded a system where a user can sign up and log in, I just need a way so that they can track where they have been. Thanks
I won't go into full detail, as I cannot comment to ask how you would prefer, but an example using sessions would be such;
At the start of each page, you could do something as follows;
session_start();
array_push($_SESSION['pages'], "`You would put a user-friendly page name here`");
Or alternatively;
session_start();
array_push($_SESSION['pages'], __FILE__);
The above would store each page the user visits in a session named pages. If you wanted to, for say, receive the last five visited pages, you could then do something as such;
array_slice($_SESSION['pages'], -5);
Although this wouldn't be the most efficient and/or is just basic, it is the bedrock in which you could expand upon.
Another idea would be to log the page visits to a database. You could have a table names page_views or similar with id, user identifier and page as the columns, then following the above example to 'log' the page views to the database. You could then select from the database and limit to the last 5 records matching the user identifier, therefor receiving the five latest logged pages.
I have a website with 2 types of membership, lets call them "basic" and "premium". What I want to happen is for site links to redirect the user to the relevant profile page based on their membership status, but I don't want there to be too much emphasis on what type of member they are in the url. I'll try to explain it better:
username_1 = Basic Member
username_2 = Premium Member
URL Redirection
website.com/basic.php?user=username_1
website.com/premium.php?user=username_2
Output
website.com/username_1
website.com/username_2
Any ideas how this can be achieved and if it can, how would the direct linking be effected, i.e. typing www.website.com/username_1 directly into the browser?
I assume you already have a working user system, and some kind of routing so that anything after the website.com/ is matched as a username. In the code that handles the user profile page, you have access to the username, and can get the user's profile from that.
Assuming you store the user's membership type in the profile, simply just check for that value and include the appropriate view. Might not be the best practice and how things are usually done, but here's a sample:
$user = get_user_from_db($username);
if ($user->member_type == 'basic') include 'profile/basic.php';
else if ($user->member_type == 'premium') include 'profile/premium.php';
It's not so much of the link redirection that matters. What matters is how you handle the user when loading his or her profile page.
Your case could be resolved with php login system with admin features:
http://evolt.org/node/60384
I am very curious because I would like to be able to check this myself on my own site, as I am currently in the process of designing it. An example would be:
www.somesite.com/product.php?id=1356
When using Facebook, a user can change it and they get the user associated with this id. But in other sites, specifically Ecommerce sites, when I change it, it either fails or goes to the homepage.
There isn't any way to see if the user changed it. This is part of secure coding. From the server's perspective, you need to validate all of your inputs, and validate that the current user actually should have access to the resource they're requesting.
See https://www.owasp.org/index.php/Top_10_2010-A4 for some additional details and examples.
Facebook may seem to allow this only for the example that you've given because the user profile ID that you're attempting to access may be public to you. However, you won't have access to all other user profiles - only user profiles that you have permission to access. If you tried to access my Facebook profile ID, you would also see your access be denied here.
Since this is tagged as e-commerce, you should also be aware of the PCI DSS if you aren't already - where 6.5.4: "Insecure direct object references" applies specifically to this scenario.
When using Facebook, a user can change it and they get the user associated with this id. But in other sites, specifically Ecommerce sites, when I change it, it either fails or goes to the homepage.
Facebook does the same thing.
https://www.facebook.com/profile.php?id=102934810293841029348 goes to an error page titled "Profile Unavailable", because that ID doesn't exist.
You're likely just changing it to nonexistent IDs.
That works via $_GET method (or $_REQUEST)...
The reason you can change some site id (or any other parameter which is part of the url), and it works, is that because they programmed it to behave like that. It actually depends of how this url parameter is used in the background. For example, in product.php you will have something like this:
if(isset($_GET['id']) {
$id = $_GET['id'];
$id = filterid(id)..... and so ...
// Maybe check for id and redirect if id is not ok
// Maybe check for id and some additional secrete parameter ...?
// What is the id? What kind of behavior you want?
}
Reason why you have different behaviours across different websites - in dependence of url parameters (in this case "id") - is because different behaviours are implemented under different circumstances...
Some of them implement strict checks (especially for id's) because of the security!? For example, if you have page and you know that your id must be a number, and you know, that the max id in your database is for example 15000, you can write something like this....
if(isset($_GET['id'] && strlen($_GET['id']) <= 5 && isNumeric($_GET['id']) {
//if everything is ok you can execute your code here
}
else {
$id = 1; //if someone try to put something else in id, you will simply redirect him on first id(firs product)
}
That is just one example of behaviour. Now consider what else can be done? What do you want to do? How do you want it to behave? What kind of behaviour you will implement on your side - in dependencie of the parameters within the url is to totally up to you. User can follow up your logic on your web app by clicking on your predefined links - or he can manipulate with the url how ever he wants. You dont have possibility to check this. All what you can do is properly validate all of the inputs (no matter are they coming from the URL or some kind of post request)
I want to set up a few internal statistics for one of my dynamic sites. The idea is to make available to each member of the site:
a) How many times the profile has been seen in the day (1 click = 1 ip = 1 view)
b) How many times the profile has been seen in the month (1 click = 1 ip = 1 view)
c) How many have left since the mail button "contact".
Before developing this in php, I wanted to know if you would not have a resource that these actions. It would save me some time.
Sincerely,
Well, you would just simply need to have a DB where you could save those statistics. Then, you would create a class with a few functions that save statistics to this DB. E.g.
function addPageview($pageIdentifier, $loggedInUser) {
// code to save to DB
}
Then, when a page is viewed (e.g. the profile page of someone), you do a call to this addPageview() with the correct page identifier (e.g. the URL) and the logged in User so you know who has viewed the page. You leave $user empty if there is no logged in user.
Good luck!
So if you want to increase your profile-views counter by 1, you can restrict this to do so every 24 hours by setting a cookie on the visitors computer with that specific users ID. The user can clear their cookies and visit the profile again, but "commoners" dont know about this technique.
In your code for viewing the profile, you use the following pseudocode:
if user has no cookie
bump views up by 1
So I create my own internal link tracker for ZF.
I don't use cookie.
I check if an ip is already back on the site. If so, I change the date of last visit, otherwise I created. Then, I check if the called page has already been visited. If so, I change, otherwise I insert. Then, I check if the association ip / page exists: if so, I change, otherwise I insert.
In the end, I can have a system of click per day, month, year, and for su ...
I wrote a tutorial on the occasion on my blog, because now it is only really suited to the current project.
Thank you for your support.
Is it possible to have a website where each user gets their own URL like:
www.thewebsite.com/myusername
I want each user site to be the same, the only reason the name matters is if a person visiting the site signs up, they get their own custom url, but the person they signed up under is kept track of as their "Parent".
So if I go to www.thewebsite.com/phil and sign up as David, then my site becomes www.thewebsite.com/david but Phil is kept track of in my user record. (i.e. is there a way for me to know which url they visited the site under)
So, really that's 2 questions:
1) How do I make custom urls per user
2) How do I know which url a new user visited from
I'm pretty brand new to PHP so keep that in mind.
You can implement this using the apache mod_rewrite.
Make a rewrite rule for something like:
^/users/($1) /users.php?userid=$1
In user.php file read the userid parameter, and return the page corresponding to given user.
As for racking from which user someone registered/logged-in to your site, you can keep a session value, such as the referencing userid, and when the new user registers, write to your db who referred him to your site.