I'm using spirng boot with security to create habit tracker. I got my database, user and goals. The problem is I can access other user goals and edit them by changing goal id in the URL.
What is the solution? Should I encode the url or do something else?
These are so called ACLs. For complex applications read here: https://docs.spring.io/spring-security/site/docs/current/reference/html5/#domain-acls
For easy id cheeking you can use method-level security, eg. @PreAuthorize. Here: https://docs.spring.io/spring-security/site/docs/current/reference/html5/#el-pre-post-annotations
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.