Sorry if that’s a bit on an unspecific title and maybe a stupid question, but here we go:
I’m using DreamFactory to manage my users, their permissions and their access on the database. The user’s respective data (e.g. what the users stores in my app) will be stored in mySQL. We’re talking about a hybrid app, both web-based and mobile (PhoneGap), i.e. I need to use a wildcard-CORS.
But here’s the deal: If the user’s group has the “DELETE”-permission, anyone who reads the session-ID from the browser’s cache will be able to access the API via Postman (or any manual API-calls for that matter) and delete not only his/her data but also everyone else’s.
So: Is there any way to check if the requesting user’s ID matches the record’s ID?