locked
Best way to secure app from unauthorized access to data by updating JS through browser inspect RRS feed

  • Question

  • User471845722 posted

    Hello,

    I have a ASP.NET MVC app, which has client side JavaScript. The application, when logged in, displays a list of tasks. Clicking on the hyperlink opens its details in a popup window. As a user, based on my permissions i see a list of tasks i'm assigned to. However, when i open a task and through the browser inspect, changed the ID of the task, I can see the tasks which i'm not authorized to view.

    What is the best way to handle this from the server side (controller)? I would need a generic solution which I could apply across other similar modules. 

    Any other advise with reference would be helpful.

    Thanks,

    Aloysius

    Monday, October 8, 2018 6:53 AM

Answers

  • User-821857111 posted

    You should perform a check when retrieving the task in your controller to make sure that the user requesting it is authenticated and has permission to see that particular task. It's impossible to provide a generic solution because the problem is very specific to your application and is governed by your application's business rules. No one else here knows what "permission" actually means in your context. It could be governed by membership of a role, or ownership of a task, or being a member of a team that owns a task etc, etc, etc.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Monday, October 8, 2018 8:55 AM