Hi,
I have a piece of server code include two parameters. One is token, and the other is user id. This code is used to query someone's own data in database, how to prevent user to pass an user id of the others, so he/she can easily see the data of the others.
If I can retrieve the user id that the token represented, I no longer need user to pass user id as a parameter. Is it possible for developer to retrieve the user info via a token string?
Hi Zhong,
You can specify certain ACL for each user.
By default you have following ACL:
pre
{"*":{"read":true},"52fe2ad1e4b0a25c11c899f8":{"read":true,"write":true}}
/pre
So everyone can access to get info about this user "read".
You can change for needed users(for example - after registration) to:
pre
{"52fe2ad1e4b0a25c11c899f8":{"read":true,"write":true}}
/pre
This ACL allows to read info only for certain user.
Regards.
Hi Yurii,
Thank you for your reply.
What I mean is when I get a token in parameter, can I get the corresponding user info?
Hi Zhong,
Yes you can do it as further implementation.
So:
1 Make users ACL as described above.
2 Get users(list) with given token. This users list will return only those user which has "read" access for this session token. In case 1st step implemented - you will get there only current user.
Regards.