If a smart viewer can work out the correct URL then how to stop the page being displayed?
I have a student website where they use their student number to login & access their grades & feedback. It’s obvious to a student that the student number is the last 8 characters of the dynamic page URL so anybody could put another students number into the URL & display any student’s grade & feedback page - an obvious security breach.
I want to restrict this & only display the data for the logged in user’s dynamic page
My solution is to have all data fields hidden when page is first loaded & only display the data when the last 8 characters of the dynamic URL match the logged in user’s student number
Any ideas how to extract the last 8 characters from the URL? I thought wixLocation.path might give me this?
import wixUsers from 'wix-users';
import wixData from 'wix-data';
import wixLocation from 'wix-location';
$w.onReady(function () {
let path = wixLocation.path;
if (wixUsers.currentUser.loggedIn) {
wixData.query("Members/PrivateMembersData")
.eq("_id", wixUsers.currentUser.id)
.find()
.then((results) => {
var studno = results.items[0].nickname;
if (path === studno) {
$w('#StudentNo').show();
$w('#StudentName').show();
$w('#InterimGrade').show();
$w('#SecondGrade').show();
$w('#FinalGrade').show();
$w('#Feedback').show();
}})}});
Anybody done this sort of security technique before? I would imagine it’s a common enough security issue?
I sorted it - now only URL that matches logged in student number is displayed - no data is displayed if someone changes the URL to end in another student number