Geek asks and answers

The best way to ensure that logged in users only see their data

It will sound like a stupid question, but I'm just wondering if I have any trick left.

Scenario: I have a web application using Simple Memebership where users can register to use it (for example, an invoice program).

However, they should be able to view / update / delete information that they themselves add to the database / web application.

What is the best way to ensure that the user gets access to their information?

Whether to add a custom field to each table, for example:

public class Invoice
{
     public int InvoiceId { get; set; }
     public int CustId { get; set; }
     public string UserName { get; set; }
}

public class Item
{
   public int ItemId { get; set; }
   public int InvoiceId { get; set; }
   public string UserName { get; set; }
}

... and then in any controller that accesses the data, just add a check for the username in each request, for example:

var Inv = db.Invoices.Where(x => x.UserName = User.Identity.Name);
var Itm = db.Items.Where(y => y.UserName = User.Identity.Name);

, , , ? , , MVC4?

_ UserId UserProfile, ?

,

, 10 , -. , - - .

.

+5
3

db, , . :

var invoices = dbContext.Users.first(u=>u.id == idParam).Invoices;

, - ,

if(dbContext.Invoices.Any(i=>i.invoiceID))//invoice exists?
{
    //Invoice belongs to user?
    bool invoiceBelongsToUser = dbContext.Users.first(u=>u.id == idParam)
    .Invoices.Any(i=>i.invoiceID == invoiceIDParam);
}
+2

, , :

  • / post/query, - , , cookie,

  • , , , , , , , , ( )

  • , client/edit/4, , 4 .

, : https://www.owasp.org/index.php/Top_10_2010-Main

+3

You can add an AuthorizeAttribute filter to the global.asax file to protect each action method of each controller.

And the dispatcher does not need to log in:

 [AllowAnonymous]
 public ActionResult LogOn()

securing-your-asp-net-mvc-3-application

0
source

More articles:


All Articles