Forum

November 2nd, 2014
A A A
Avatar
sp_LogInOut Log In

Lost password?
sp_Search Search
Advanced Search
Advanced Search

— Forum Scope —




— Match —





— Forum Options —





Minimum search word length is 3 characters - maximum search word length is 84 characters

sp_Search Search
Go to Bottom
The forums are currently locked and only available for read only access
This topic is locked No permission to create posts
sp_Feed Topic RSS sp_TopicIcon
Security with URL used in jqgrid
15/09/2010
16:23
Avatar
thlas77
Member
Members
Forum Posts: 7
Member Since:
10/09/2010
sp_UserOfflineSmall Offline
Go to Top
1sp_Permalink sp_Print

Hi all,

I have a question about security in JQGRID.

When I display my grid, the URL generated can be copy/paste in Firebug. for example :

http://www.totosico.com/compon.....8;sord=asc

If I change filter_var1_id = 105 instead of 102, I can retrieve some data I'm not allowed to see (displayed in an XML format, not in the grid...)

So my questions are :

- How to prevent this ?

- Is it the right way to concat the variables in the URL ?

Thanks for your Help

Thierry

15/09/2010
17:25
Avatar
OlegK
Germany
Member
Members
Forum Posts: 1255
Member Since:
10/08/2009
sp_UserOfflineSmall Offline
Go to Top
2sp_Permalink sp_Print

You should use server side user authentication and verify on every request whether it is allowed for him to retrieve the data or not. If you want that url with filter_var1_id=105 will be prohibited for all users you can also do this very simple on the server side.

If you only want to disallow to use filter_var1_id=105 in the url you can use in jqGrid and on the server HTTP POST instead of GET. In the case to get the data user need a tool like Fiddler (see http://www.fiddler2.com/fiddler2/) to get the data. Nevertheless such change will give you not really much more security.

So my answer: this should be a functionality of the server side of your code. So it is not a question to jqGrid. All client side validation in the case are unsafe.

Best regards
Oleg 

15/09/2010
20:37
Avatar
thlas77
Member
Members
Forum Posts: 7
Member Since:
10/09/2010
sp_UserOfflineSmall Offline
Go to Top
3sp_Permalink sp_Print

Thanks Olegk for your answer.

Just for your information, I want to use JQgrid with joomla.

In fact, I should verify that the user id is authorised to consult the data of the groupe with id 105. If not, an error message will be displayed.

I have a datasource.php where the query is coded to access to the database to retrieve the data for my grid.

Is it in this file that I have to code the request that userid and groupeid are compatible just before my query for the data?

To get the user id, I usually use in joomla         $user    =& JFactory::getUser(); and $current_user = (int) $user->get('id'); How can I do here ? (sorry if my questions are basics...)

If a joomla expert could help me, It will be nice(I have already downloaded component and module from http://www.dunia-azka.co.cc/)

Thanks

Thierry

This topic is locked No permission to create posts
sp_Feed All RSS
Go to top
Forum Timezone: Europe/Sofia

Most Users Ever Online: 715

Currently Online:
79 Guest(s)

Top Posters:

OlegK: 1255

markw65: 179

kobruleht: 144

phicarre: 132

YamilBracho: 124

Renso: 118

Member Stats:

Guest Posters: 447

Members: 11373

Moderators: 2

Admins: 1

Forum Stats:

Groups: 1

Forums: 8

Topics: 10592

Posts: 31289

Newest Members:

, razia, Prankie, psky, praveen neelam, greg.valainis@pa-tech.com

Moderators: tony: 7721, Rumen[Trirand]: 81

Administrators: admin: 66

Comments are closed.
Privacy Policy   Terms and Conditions   Contact Information