Parallel ultra vires solution

our company"s system is an intranet system, and we have not paid attention to the problem of parallel ultra vires before. Recently, the company conducted a security test to issue this problem, that is, users can ultra vires access to other users or order information by modifying the parameters in url. At present, the solution we have discussed is to encrypt the core parameters when the parameters are passed by the backend to the foreground, and then decrypt the parameters when the parameters are passed by the backstage to the foreground. The disadvantage of this is that it has a great impact on the business side, and each business method has to be modified.
is there a reasonable solution to this problem to minimize the impact on the business side?

Mar.07,2021

whether you have permission to belong to the backend should have the function . According to you, the function of this API should be to modify your own order , which is obviously the fault of the backend itself.


your solution can use aspect-oriented programming to set interceptors before requests and responses
A reasonable solution I think it is best to set the scope of user permissions to view personal or departmental and corporate data

MySQL Query : SELECT * FROM `codeshelper`.`v9_news` WHERE status=99 AND catid='6' ORDER BY rand() LIMIT 5
MySQL Error : Disk full (/tmp/#sql-temptable-64f5-1bf2f30-31197.MAI); waiting for someone to free some space... (errno: 28 "No space left on device")
MySQL Errno : 1021
Message : Disk full (/tmp/#sql-temptable-64f5-1bf2f30-31197.MAI); waiting for someone to free some space... (errno: 28 "No space left on device")
Need Help?