Revealing user ID & security

Tuesday 12 August 2008 7:29:08 am - 3 replies

Modified on Friday 15 August 2008 7:30:43 am by Piotrek Karaś

3 replies

Author	Message
Piotrek Karaś	Friday 15 August 2008 11:27:27 pm Or maybe another way: is revealing object ID risky at all? User ID is a content object ID after all... -- Company: mediaSELF Sp. z o.o., http://www.mediaself.pl eZ references: http://ez.no/partners/worldwide_partners/mediaself eZ certified developer: http://ez.no/certification/verify/272585 eZ blog: http://ez.ryba.eu
André R.	Sunday 17 August 2008 7:23:02 am Only if you use only visually block certain users from being able to do something with a object. (eg code in templates to decide on who should see edit / delete button based on something else then actually user rights) eZ Online Editor 5: http://projects.ez.no/ezoe \|\| eZJSCore (Ajax): http://projects.ez.no/ezjscore \|\| eZ Publish EE http://ez.no/eZPublish/eZ-Publish-Enterprise-Subscription @: http://twitter.com/andrerom
Piotrek Karaś	Sunday 17 August 2008 8:11:36 am Oh, yeah, but then it wouldn't be the best practice in any case, I suppose. I'm thinking of users' mutual contact book architecture, and wondering of using user IDs directly (rather than providing some id obfuscation) would be acceptable. If not, the only thing comes to my mind capable of handling this level of ID uniqueness would be some hash function on user ID. Thanks, Piotrek -- Company: mediaSELF Sp. z o.o., http://www.mediaself.pl eZ references: http://ez.no/partners/worldwide_partners/mediaself eZ certified developer: http://ez.no/certification/verify/272585 eZ blog: http://ez.ryba.eu

Author

Message

Piotrek Karaś

Friday 15 August 2008 11:27:27 pm

Or maybe another way: is revealing object ID risky at all? User ID is a content object ID after all...

--
Company: mediaSELF Sp. z o.o., http://www.mediaself.pl
eZ references: http://ez.no/partners/worldwide_partners/mediaself
eZ certified developer: http://ez.no/certification/verify/272585
eZ blog: http://ez.ryba.eu

André R.

Sunday 17 August 2008 7:23:02 am

Only if you use only visually block certain users from being able to do something with a object. (eg code in templates to decide on who should see edit / delete button based on something else then actually user rights)

eZ Online Editor 5: http://projects.ez.no/ezoe || eZJSCore (Ajax): http://projects.ez.no/ezjscore || eZ Publish EE http://ez.no/eZPublish/eZ-Publish-Enterprise-Subscription
@: http://twitter.com/andrerom

Piotrek Karaś

Sunday 17 August 2008 8:11:36 am

Oh, yeah, but then it wouldn't be the best practice in any case, I suppose.

I'm thinking of users' mutual contact book architecture, and wondering of using user IDs directly (rather than providing some id obfuscation) would be acceptable. If not, the only thing comes to my mind capable of handling this level of ID uniqueness would be some hash function on user ID.

Thanks,
Piotrek

You must be logged in to post messages in this topic!