1

I'm building a message system to learn how it works, and I've already got pretty much everything. I can log in and make a post on a board, but now I would like to be able to edit it. The back-end is ready, it receives a POST request

Basically what I need to do is check if the currently logged in user is the author of a certain post from Javascript to show or hide the edit button. I know how to tell if the user is logged in from PHP so that it blocks requests if you aren't the author, but I can't hide or show the buttons as the posts are dinamically generated from a <template> using JS.

Login snippet:

$_SESSION["userid"] = $userid;

Edit check PHP snippet (kinda pseudo-code):

if ($_POST["action"] == "modifypost" && isset($_POST["postid"]) && isset($_POST["content"]))
{
  $post = get_post($_POST["postid"]);
  if ($post.userid != $_SESSION["userid"])
  {
    die("you are not allowed");
  }
  //MySQL queries
}

Post dynamic generation (abbreviated):

function add_post(post) {
  var t = document.querySelector('#historypost');
  t.content.querySelector(".content").innerHTML = post.content;

  var clone = document.importNode(t.content, true);
  document.body.appendChild(clone);
}

I had originally thought of setting a variable with the user ID from HTML with <script> and <?php ?>, but then the user would be able to manually set that variable from the console and show the buttons.

Improve this question
2
  • Why do you care if a user shows a button to himself? You need to check the request on the server side anyhow. Does it matter if the entire request is fake, or if it used your js to create it? IMO you only need to worry about users changing other users js (XSS) and validate that a users request was intended (CSRF). If they use the console to alter your website in their eyes only. Let them. Commented Jul 30, 2017 at 0:42
  • If they can't save their changes because you check it on Post then it doesn't matter if they try editing the javascript to show the edit button etc. Commented Jul 30, 2017 at 0:42

2 Answers 2

Reset to default
2

I had originally thought of setting a variable with the user ID from HTML with <script> and <?php ?>

Yes, this is one correct approach. Basically, use PHP to tell JavaScript which posts actually belong to the current user.

but then the user would be able to manually set that variable from the console and show the buttons

True. There is no way to secure information from user-meddling once you've sent it to the browser. This is because the user is in control of what gets executed in the browser. Instead of thinking of the button visibility as a security feature, think of it as a convenience -- something to make the user experience more pleasing.

Application security is really enforced on the server. Just make sure that one user is not allowed to edit another user's posts, and do not trust what comes from the browser. Verify inputs.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

Ideally, I would prefer to put the post rendering logic inside the server-side.

But as your solution is focused in javascript, an option makes PHP render a javascript variable that tells if the user is the post author.

Example:

Inside your PHP file, in the HTML render part you can do this:

<script>var isAuthor = '<?php echo ($post.userid == $_SESSION["userid"])'; ?></script>

Doing this you will have javascript script variable called isAuthor, that will have value "1" is the user is the author.

-

But as I said, this doesn't look like a good approach to solve the problem. It's something that PHP can handle better, without expose your logic to the client.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.