Currently when I need to change some client data, I store the ID in input hidden , but this is visible if you inspect the element giving the freedom to someone who has more experience manipulating the system.
Is there any right way to do this? Any good practice?
It is not very visible. It is sufficiently visible.
If your system allows something wrong to be done just because someone knows what the ID is, then your system is very flawed. Fix it, do not try to concoct artificial protections.
Any system that does not validate every minute action of the user before making a decision and an action that changes state in the system is wrong. And guess what? Some 99% of systems allow users to do things that are not expected and compromise to some degree what they could not do.
People need to learn how to develop software in the right way, and this is never getting information here or there. It takes scientific method, structured learning, deep understanding of the whole basis of what you are doing and knowing what your context is, so never look for good practice.
Good practices serve as an alert to something someone has thought about, not as a definitive guide to what to do. Most have flaws and do not focus on their context.
All that comes from outside the system, especially those that can be triggered by a user in a legitimate way or should not be validated. You should only accept what is possible. One of the mistakes one makes is to try to prevent wrongdoing. You'll never know everything that could be wrong. So he forbade everything and accepted only that which was acceptable in that context.
Can the person see certain information if they pass the ID? Okay, so send it to her. If she can not, do not. If you can in the given circumstance, if you can if it is a people with a certain credential, okay, so make sure you meet the criteria before sending. This becomes even more important if she can change the data.
If the data is changed, do you need someone's extra permission? In some cases you need to, so take an extra step. Anyway register all that has been changed, or even accessed in most cases.
There are situations where an alert system is a compromise between just recording what was done and asking someone to authorize the action. There is a mechanism called the cutoff and it is a term that almost no programmer uses, a huge mistake.
feminine noun
Limit of powers granted.
Jurisdiction, supremacy.
[Figured] Sphere.
Appeal.
"alçada", in Dictionary Priberam da Língua Portuguesa [online], 2008-2013, link [consulted at 28-07-2018].
