Check if a $_SESSION variable is set from Javascript

Question

I'm building a message system to learn how it works, and I've already got pretty much everything. I can log in and make a post on a board, but now I would like to be able to edit it. The back-end is ready, it receives a POST request

Basically what I need to do is check if the currently logged in user is the author of a certain post from Javascript to show or hide the edit button. I know how to tell if the user is logged in from PHP so that it blocks requests if you aren't the author, but I can't hide or show the buttons as the posts are dinamically generated from a <template> using JS.

Login snippet:

$_SESSION["userid"] = $userid;

Edit check PHP snippet (kinda pseudo-code):

if ($_POST["action"] == "modifypost" && isset($_POST["postid"]) && isset($_POST["content"]))
{
  $post = get_post($_POST["postid"]);
  if ($post.userid != $_SESSION["userid"])
  {
    die("you are not allowed");
  }
  //MySQL queries
}

Post dynamic generation (abbreviated):

function add_post(post) {
  var t = document.querySelector('#historypost');
  t.content.querySelector(".content").innerHTML = post.content;

  var clone = document.importNode(t.content, true);
  document.body.appendChild(clone);
}

I had originally thought of setting a variable with the user ID from HTML with <script> and <?php ?> , but then the user would be able to manually set that variable from the console and show the buttons.

Answer 1

I had originally thought of setting a variable with the user ID from HTML with <script> and <?php ?>

Yes, this is one correct approach. Basically, use PHP to tell JavaScript which posts actually belong to the current user.

but then the user would be able to manually set that variable from the console and show the buttons

True. There is no way to secure information from user-meddling once you've sent it to the browser. This is because the user is in control of what gets executed in the browser. Instead of thinking of the button visibility as a security feature, think of it as a convenience -- something to make the user experience more pleasing.

Application security is really enforced on the server. Just make sure that one user is not allowed to edit another user's posts, and do not trust what comes from the browser. Verify inputs.

Answer 2

Ideally, I would prefer to put the post rendering logic inside the server-side.

But as your solution is focused in javascript, an option makes PHP render a javascript variable that tells if the user is the post author.

Example:

Inside your PHP file, in the HTML render part you can do this:

<script>var isAuthor = '<?php echo ($post.userid == $_SESSION["userid"])'; ?></script>

Doing this you will have javascript script variable called isAuthor , that will have value "1" is the user is the author.

-

But as I said, this doesn't look like a good approach to solve the problem. It's something that PHP can handle better, without expose your logic to the client.