I usually make my pages require an User to have a better control.
So, the current user’s Id appears in the url, and if i copy and paste it in other browser or private guide i’ll access the page without barriers as the “Current page’s user”.
Can someone help me to fix this vulnerability?
You can fix this in two ways:
1. Privacy Rules (More Secure, Server-Side Protection)
Go to your User table’s Privacy Rules and add a new rule:
- Condition:
This User is Current User - Uncheck all the fields for other users.
This will block data access server-side, meaning nobody except the owner of the data can see it, even if they try to access the URL directly.
Downside: If you use this strict rule, when you try to display a list of users somewhere, you’ll only see the current user (since other users’ data is fully blocked).
2. Workflow Check (More Flexible, Client-Side Protection)
Add a “Do when condition is true” workflow to the page:
- Condition:
Current Page User is not Current User - Action: Redirect to your main menu or another page.
This doesn’t block the data server-side (so technically the data could still be exposed if someone digs deeper), but it’s easier to work with, especially if you need to list users somewhere.
You can also make this more flexible by adding additional and / or conditions to shape your security logic.
For your scenario, option 2 seems better because you need more flexibility. But if you want maximum security, combine both approaches.
You do not need to set a page to a user type in almost any app.
You can just use dynamic expression of ‘current user’ as when you set a page content type to user and use the data to send as current user, you then have current page user and current user as the same user.
If there is a page where you want the profile of a user, there is a chance you have a data type called profile and can just set the page content type to profile and that will avoid having the user unique id in the url and would instead be the profile unique id or slug if a slug value exists on the entry.
2 Likes
Ok, i’ll try it later, I will be in touch again soon. Thanks so much already
1 Like
This topic was automatically closed after 70 days. New replies are no longer allowed.