Hi guys,
Does Totara / Moodle have a preferred way of encoding URL variables? For instance, i'm developing some forms and i pass the form record id thru the URL to the next page to view it, but i don't want users to just change the record id and be able to pull up other users forms. I know there are several ways to accomplish this, i'm just wondering what Totara developers recommend considering we ran a security scan against the software and it came back with flying colors :)
Trying to obscure the URL variable is not the correct approach. Instead you need to clean the variable then do a specific permission check.
For variable cleaning you should use required_param() or optional_param() with the correct PARAM_* type. If it is an ID use PARAM_INT. It is recommended you do this near the top of the page and store a variable for using later.
After that you need to confirm that the user viewing the page is allowed to see that record. Typically this is done via a capability check (require_capability()) or a custom piece of code. For example if users are only allowed to see widgets they created, you might have a userid in the widget table. Then you could do:
$widgetownerid = $DB->get_field('widget', 'userid', array('id' => $idfromurl));
if ($USER->id != $widgetownerid) {
// throw an error to prevent access
}
That way, the user can change the URL to anything they want but won't be able to access content that is not allowed. Try to do these checks as early in the page as possible.
Simon
Once again, i've come onto the forums for help and gotten exactly the information i was looking for! By the CTO none the less! Really appreciate your help Simon, as always. It's been a fun experience writing the php and then trying to totara-ize it with your best practices.
John
Glad we could help.
We have discussed creating a Totara Academy specifically for developers to gather together all the best practice into a course that people can choose to take. Of course the hard part is finding the time to put the course together!
Simon
