Lets say, I have these tables: . User (id, name) . Company (id, name, user_id) . Department (id , name, company_id) . Employee (id, name, department_id)
Now I have made an api to update record for employee. After JWT authentication. I get the logged in user and give him permission to update its employee department. What if someone posts (via postman or any restapi client) a random department_id which belongs to someother company.
How to verify the department_id he is updating belongs to him? It may be possible that an attacker registers in app and get jwt token then passes a random department_id or employee_id and deletes or updates records for other user.
There is one solution I have in mind.. i.e to query (using left joins where department_id = $_POST['department_id']) and get user_id and then match it with jwt authenticated user.
But then I'll have to do it for every add,update,delete api I have in whole project and traverse through tables to get user_id.
This will require a lot of work and I'll have to implement whole new layer before request passes to controller.
Is there any better solution for this?
via Chebli Mohamed
Aucun commentaire:
Enregistrer un commentaire