Transforming List Row ID ?

[Incremental]

Hi,
I have a list with users not created as Joomla users.
I would like to allow them to access ONLY to their informations, sending them an URL by mail (list email plugin)

As ID are auto-increments, I do not want that some folks try to access other records, changing the ID in the URL sent by mail.
I think to something like :

• compute the key for sending it by mail in an URL, instead of the ID,
• receive it in a PHP form script for 'reverse compute' the ID to the right record in the DB

Then nobody would have a chance to guess other records.

Does somebody has an idea for an algorithm changing simple ID in a long key ?

 

[cheesegrits]

You'd have to get a little bit creative. You obviously can't do anything that involves a redirect to the "real" URL after they hit your return script, as that'll just un-mask the rowid again.

The best approach is probably to have the email direct them to a J! article, with the encrypted ID appended as a query string arg. In the article, use something like Sourcerer to decrypt that query string arg, and echo the appropriate Fabrik content plugin string to load the view you want to give them. So all they will see on the URL is the article link.

Of course, if they dig in to the page source, the form itself will have references to the ID, and if they have any knowledge of Fabrik, they could easily surmise how to generate a component link which would load other rowid's.

As for what algorithm ... the built in J! crypt stuff would dbe as good as anything. We have a simple helper for it, so you can do ...

$rowid = $formModel->getRowId();
$crypt = FabrikWorker::getCrypt();
$crypted_rowid = $crypt->crypt($rowid);

Then add "&whatever=$crypted_value" to the URL to your article landing page.

You'd have to use a PHP template for your email, so you could generate that crypted value. In that code, our helpers should already be loaded. In your article's Sourcer code, you'd need to load the helper, with:

require_once '/full/path/to/joomla/components/com_fabrik/helpers/parent.php';
$app = JFactory::getApplication();
$encrypted_rowid = $app->input->get('whatever', '');
$rowid = $crypt->decrypt($encrypted_rowid);
echo "{fabrik view=details id=123 rowid=$rowid};

That should get you on the right track, anyway.

-- hugh

 

[Incremental]

Thanks a lot for the details, I was thinking to something like that !
I'll try it and tell you.
Regards (and happy new year !)

 

[troester]

Of course, if they dig in to the page source, the form itself will have references to the ID, and if they have any knowledge of Fabrik, they could easily surmise how to generate a component link which would load other rowid's.

I've done it like this to prevent using the standard view=form&rowid=x
- Add a calc element hash, calculate the unique string
- Send view=form&usekey=hash&rowid=your-string to your user
- Add a prefilter to your list (I know JRequest is deprecated, it's an old example)

WHERE hash EQUALS
$k=JRequest::getVar('usekey');
if ($k!='hash') return "'null'";
$h=JRequest::getVar('rowid');
return $h;

Type eval

 

[cheesegrits]

That's a good solution as well, which I've used before. I didn't suggest it in this case, simply because it involves the calc element and 'usekey', which can be problematic, although they seem to be solid in 3.1 atm.

Either way will work, although thinking about it, for this purpose, your way is probably better, as it should be possible to entirely hide the PK element, if you use a copy of the list, and set the ACL on the PK element so only super admins (or whatever) have read or write access. That would prevent fishing through rowid's, if rows could only be accessed through a very random (and long) hashed key.

That copy of the list would ONLY be usable for this one purpose though.

-- hugh