Revealing user ID & security

« 
Previous topic
|
Developer
|
Next topic
 »
Author Message

Piotrek Karaś

Tuesday 12 August 2008 7:29:08 am

Hi all,

Do you think revealing user ID (actual ID, not NodeID) in the forms or URLs could be potentially risky for any reason?

Thanks,
Piotrek

--
Company: mediaSELF Sp. z o.o., http://www.mediaself.pl
eZ references: http://ez.no/partners/worldwide_partners/mediaself
eZ certified developer: http://ez.no/certification/verify/272585
eZ blog: http://ez.ryba.eu

Piotrek Karaś

Friday 15 August 2008 11:27:27 pm

Or maybe another way: is revealing object ID risky at all? User ID is a content object ID after all...

--
Company: mediaSELF Sp. z o.o., http://www.mediaself.pl
eZ references: http://ez.no/partners/worldwide_partners/mediaself
eZ certified developer: http://ez.no/certification/verify/272585
eZ blog: http://ez.ryba.eu

André R.

Sunday 17 August 2008 7:23:02 am

Only if you use only visually block certain users from being able to do something with a object. (eg code in templates to decide on who should see edit / delete button based on something else then actually user rights)

eZ Online Editor 5: http://projects.ez.no/ezoe || eZJSCore (Ajax): http://projects.ez.no/ezjscore || eZ Publish EE http://ez.no/eZPublish/eZ-Publish-Enterprise-Subscription
@: http://twitter.com/andrerom

Piotrek Karaś

Sunday 17 August 2008 8:11:36 am

Oh, yeah, but then it wouldn't be the best practice in any case, I suppose.

I'm thinking of users' mutual contact book architecture, and wondering of using user IDs directly (rather than providing some id obfuscation) would be acceptable. If not, the only thing comes to my mind capable of handling this level of ID uniqueness would be some hash function on user ID.

Thanks,
Piotrek

--
Company: mediaSELF Sp. z o.o., http://www.mediaself.pl
eZ references: http://ez.no/partners/worldwide_partners/mediaself
eZ certified developer: http://ez.no/certification/verify/272585
eZ blog: http://ez.ryba.eu
Powered by eZ Publish™ CMS Open Source Web Content Management. Copyright © 1999-2014 eZ Systems AS (except where otherwise noted). All rights reserved.

eZ debug

Timing: Jan 18 2025 18:20:08
Script start
Timing: Jan 18 2025 18:20:08
Module start 'layout'
Timing: Jan 18 2025 18:20:08
Module start 'content'
Timing: Jan 18 2025 18:20:09
Module end 'content'
Timing: Jan 18 2025 18:20:09
Script end

Main resources:

Total runtime1.3697 sec
Peak memory usage4,096.0000 KB
Database Queries60

Timing points:

CheckpointStart (sec)Duration (sec)Memory at start (KB)Memory used (KB)
Script start 0.00000.0069 589.0469152.6250
Module start 'layout' 0.00690.0040 741.671939.4453
Module start 'content' 0.01081.3574 781.1172556.9922
Module end 'content' 1.36820.0014 1,338.109416.1641
Script end 1.3697  1,354.2734 

Time accumulators:

 Accumulator Duration (sec) Duration (%) Count Average (sec)
Ini load
Load cache0.00310.2241160.0002
Check MTime0.00130.0928160.0001
Mysql Total
Database connection0.00140.101410.0014
Mysqli_queries1.318396.2466600.0220
Looping result0.00050.0366580.0000
Template Total1.336697.620.6683
Template load0.00220.161420.0011
Template processing1.334497.419820.6672
Template load and register function0.00010.006510.0001
states
state_id_array0.00090.069210.0009
state_identifier_array0.00260.190920.0013
Override
Cache load0.00180.1295200.0001
Sytem overhead
Fetch class attribute can translate value0.00040.031720.0002
Fetch class attribute name0.00120.089760.0002
XML
Image XML parsing0.00080.061320.0004
class_abstraction
Instantiating content class attribute0.00000.001280.0000
General
dbfile0.00100.0744240.0000
String conversion0.00000.000740.0000
Note: percentages do not add up to 100% because some accumulators overlap

Templates used to render the page:

UsageRequested templateTemplateTemplate loadedEditOverride
1node/view/full.tplfull/forum_topic.tplextension/sevenx/design/simple/override/templates/full/forum_topic.tplEdit templateOverride template
4content/datatype/view/ezimage.tpl<No override>extension/sevenx/design/simple/templates/content/datatype/view/ezimage.tplEdit templateOverride template
4content/datatype/view/ezxmltext.tpl<No override>extension/community_design/design/suncana/templates/content/datatype/view/ezxmltext.tplEdit templateOverride template
6content/datatype/view/ezxmltags/paragraph.tpl<No override>extension/ezwebin/design/ezwebin/templates/content/datatype/view/ezxmltags/paragraph.tplEdit templateOverride template
2content/datatype/view/ezxmltags/line.tpl<No override>design/standard/templates/content/datatype/view/ezxmltags/line.tplEdit templateOverride template
1print_pagelayout.tpl<No override>extension/community/design/community/templates/print_pagelayout.tplEdit templateOverride template
 Number of times templates used: 18
 Number of unique templates used: 6

Time used to render debug report: 0.0001 secs