1

I have this code:

<input type="button" value="Delete Group" class="followbt" name="delete" onclick="deleteGroupDialog(' . $group_row['ngroup'] . ');">

The field 'ngroup' is the group number that i want to delete, and i am passing it to a javascript function that opens an jquery dialog window in order to ask if the user is certain of what is doing, the problem is that anyone can go on the browser and edit that number and go delete any group (that belongs to him).

I have already made a search about this but i didn't find anything, is there a way to pass the argument more securely?

PS: When i show the dialog window i don't want to reload the page a make a server request.

Improve this question
3
  • It's not the "man in the middle" that can change that argument, it's any person who can acess the "Inspect Element" in any browser... Commented Apr 25, 2015 at 13:45
  • There's no way to secure that, if you don't want the end user to have access to the data, don't send it to the end user, and if you don't want the end user to be able to delete anything on your server, validate the input from the end user. Commented Apr 25, 2015 at 13:50
  • there is no way the client side ...... must configure the server to access prohibited Commented Apr 25, 2015 at 14:06

1 Answer 1

Reset to default
6

Your client-side code should never be the final word on what the user is allowed to do; that's the server's job. Client-side gatekeeping is purely there for UX, to guide the user to doing what they're allowed to do and guide them away from what they're not allowed to do.

Yes, the client can indeed go in and edit things, or even custom-craft HTTP messages to send to your server. That's why your server needs to be the gatekeeper. That way, you don't care if the user hand-edits the group number: If they're allowed to delete the group, they can delete it (through the UI or nefarious means); if they aren't, they can't, no matter how much client-side trickery they try.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.