0

I have a ReactJS front-end app mixed with a Laravel back-end app.

I'm facing a problem with auth. I'm authenticating the user with Laravel auth but I have some trouble on displaying components. I have some posts (/posts/1 or /posts/2 etc...) and when the user visits the page, he can modify the post if he is the author.

I'm storing as a state the id of the user and checking like this : 

if(this.props.user.id === this.props.posts.id_user) ...

But this is really unsafe since the state can be modified by anyone with the dev tool. By modifying the state, the user could modify a post even if he is not the author because all displayed components managing the edit would be accessible for him.

Is there a "magic" trick to prevent it?

Improve this question
4
  • 3
    There's really no magic to it, sadly. You have to verify in the back end that the user that is trying to modify some resource has the right to do it. Commented Feb 26, 2019 at 1:11
  • So he can modify the display as he wants by just changing the state but still I need to do a check on back end that's right? Commented Feb 26, 2019 at 1:25
  • 1
    Yes, that's right. It's not an issue if the user messes with their own data in the browser, but you need to guard against users modifying resources they don't have permission to in the back end. Commented Feb 26, 2019 at 1:27
  • 1
    I'll check that then, thanks it really helped me! Commented Feb 26, 2019 at 1:29

1 Answer 1

Reset to default
2

First of all, the state you are talking about is the app state, the one that resides in the browser, if the user change that state, the effects will only be affected by the user itself, in his browser, theoretically, is not changing the data or state in your backend/database, unless you don't implement the same validation you are talking about.

If you do if(this.props.user.id === this.props.posts.id_user) in your front, you absolutely have to do it in your back, that is the place where the real validation counts, that's where the user can't change the user id, because, for example, you will be using the one in the user session that is stored in cookies or a Redis server.

Always validate in the backend

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.