I have
a laravel app with the route
Route::put('/api/{deviceMac}/access/update','DeviceController@update');
rule
If user A have deviceMac 000000000000
, should only be making a PUT to
http://www.app.com/api/000000000000/access/update
{deviceMac:000000000000, access: true}
If user B have deviceMac 111111111111
, should only be making a PUT to
http://www.app.com/api/111111111111/access/update
{deviceMac:111111111111, access: true}
User A should not be able hijacking the route update of other users
hijacking
User A should have access to 000000000000
only,
Right now, User A can tweak the HTTP request and make a PUT as User B
http://www.app.com/api/111111111111/access/update
{deviceMac:111111111111, access: false}
Questions
How do I prevent other users from high jacking the request payload as other users ?
Should I adjust my middleware to take care of this issue ?
I'm open to any suggestions at this moment.
Any hints/suggestions / helps on this be will be much appreciated!
via
Chebli Mohamed