Score:0

Change all generated user/{uid} paths to user/{uuid} and process them without the redirect

mk flag

I need to change all generated user/{uid} paths to user/{uuid} and process them without the redirect. The tricky part is that I need to:

  • Output canonical URLs to user/{uuid} instead of user/{uid}
  • Process them correctly without redirections and custom controllers

How can I achieve this?

cn flag
This probably isn’t worth the effort, it sounds like the standard “security through obscurity” that people who know tend to advise against. Have you considered that the user ID is probably going to be in countless other places too? CSS classes, data attributes in the HTML, and so on? It would be infinitely wiser IMO to spend this development time on pen-testing and securing the app in more robust ways
Alex Smirnoff avatar
mk flag
I agree with your point of view from the technical perspective, however, this one is coming from the management point of view. So it's all about 'I am the user number 296', not that someone is going to hack something. I suggested to increase the initial counters, so we start from 1M ID and there will be no user with ID 296, but at this moment they cant accept the fact that the user knows his number.
cn flag
Tell them they can have what they want, but that it’s a non-standard, unrecommended action to take, and will therefore take ~3 months to implement and test. In my experience that tends to make non-tech management change their tune pretty quickly :)
cn flag
In seriousness though, I doubt you'll find an easy solution to this, there are just so many things you'll have to check and change (for example the node author autocomplete, which shows user ID in brackets). And that's just core, who knows what fun awaits in contrib and custom land
apaderno avatar
us flag
Why should they be worried about users who know their IDs? I am asking because this seems a question about what they think is a solution for their problem. Knowing the underlying problem would help to give a better answer.
apaderno avatar
us flag
Given that the user ID is not considered sensitive date, in Drupal, there are many places where the user ID appears, including as CSS class on the user profile page. As @Clive said, there are many things that should be changed.
Kevin avatar
in flag
You could use Pathauto? Other than that this effort is pretty futile.
Chris4783 avatar
gb flag
I would remove the automatic generation of paths for the user, delete all generated paths for user/{uid}, alter the canonical user route to user/{uuid} and load the user object with the EntityUuidConverter param converter or a custom one. However, pages such as user/1/edit can still be called, which is why the adjustment would be necessary here as well.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.