locked
hidden routing Id RRS feed

  • Question

  • User-323149085 posted

    hello ,

     I would like to get query results base on Id  but I would like Not to expose the Id value 

    (im using core 2.2)

      <a asp-controller="offers"
                                       asp-action="SuplayerProfile"
                                       asp-route-id=" @item.SupplayerId" class="">                                   
                                      Text
    
    </a
    but the controller should get the id value of  the Id
    public async Task <IActionResult> SuplayerProfile(string id) { if (id ==null) { return NotFound(); } Supplayer SuplProfile = await _context.Supplayer.Where(s => s.SiteUserId == id).SingleOrDefaultAsync(); return View(SuplProfile); }

    Results should be >>  :Http/Offer/SuplayerProfile

    how do I write the actionLink ?

    Thanks 

    Thursday, January 24, 2019 10:12 AM

Answers

  • User475983607 posted

    Your requirement of hiding the route Id is simply impossible.  The URL is what the browser (or user agent) sends to the server to fetch the resource. 

    If the problem is bookmarking the link then use a POST.  There's also encrypting the Id if you don;t want to the users to see the actual Id.

    Otherwise, explain the problem you are trying to solve rather than how you think it should be solved.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Thursday, January 24, 2019 1:14 PM
  • User753101303 posted

    Details may vary but the basic idea is that you should not use the pk alone to decide which row should be shown.

    You should always filter rows based on the connected user and then only use the pk criteria. This way if the pk value is changed to something else in the query string, it will work only for rows the current user is anyway allowed to see.

    Using a guid or encrypting the value make this harder (just because the value is hard to guess) but strickly speaking it would be still possible to provide a value and see something you shouldn't.

    How do you know if a user can see a card ? The owner of this card selected previously other users with which he wants to share his details ?

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Thursday, January 24, 2019 2:58 PM

All replies

  • User753101303 posted

    Hi,

    The real problem is that you are using blindly this value without checking if the user is allowed to access this raw. It would be my first move ie something such as :

    .Where(s=>OnwnerId==User.GetUserId() && s => s.SiteUserId == id).S

    This way if the user try to use a site owned by someone else he would find nothing. Other options you'll find are :
    - encrypting the value (but depending on how its done if user A sends a link to user B using the same system or if it leaks in a screenshot, it is posssible that it will be accessible
    - posting the value as a form field (doesn't change much, you basically just put the key door under a stone in your garden.

    In short IMO it"s best to not use the DbSet but a DbSet that is always filtered against what the current user is suppposed to have access to...

    Thursday, January 24, 2019 10:45 AM
  • User-323149085 posted

    Thank you Patrice for your answer ,

    this link is not for the user to check his details. it is for other user to check his card (details) .

    So>  loginUser==id is not what I need . 

    Thursday, January 24, 2019 11:28 AM
  • User475983607 posted

    Your requirement of hiding the route Id is simply impossible.  The URL is what the browser (or user agent) sends to the server to fetch the resource. 

    If the problem is bookmarking the link then use a POST.  There's also encrypting the Id if you don;t want to the users to see the actual Id.

    Otherwise, explain the problem you are trying to solve rather than how you think it should be solved.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Thursday, January 24, 2019 1:14 PM
  • User753101303 posted

    Details may vary but the basic idea is that you should not use the pk alone to decide which row should be shown.

    You should always filter rows based on the connected user and then only use the pk criteria. This way if the pk value is changed to something else in the query string, it will work only for rows the current user is anyway allowed to see.

    Using a guid or encrypting the value make this harder (just because the value is hard to guess) but strickly speaking it would be still possible to provide a value and see something you shouldn't.

    How do you know if a user can see a card ? The owner of this card selected previously other users with which he wants to share his details ?

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Thursday, January 24, 2019 2:58 PM
  • User-323149085 posted

    @patriceSe @mgebhard thank you fir your input

    ,base on your input  it look like i'll need to use a dif value/identifier  to get the data I want.

    thanks

    Friday, January 25, 2019 7:26 AM