MVC Authorize Issue

Question

User2071107847 posted

Hi all

i created user dashboard page from where you can go to edit page. my problem is that when you go to edit page by ID e.g. id=5, and you are logged in as user e.g. user1 you can edit user2 data if you go to from url. i have added in user table username and when creating new record i have username data in it. how can i protect other users to not edit others data.

i'm using this attributes also.

[HttpPost]
[ValidateAntiForgeryToken]

Answer 1

User475983607 posted

Consider using standard MVC security; ASP.NET Identity.

https://docs.microsoft.com/en-us/aspnet/identity/overview/getting-started/introduction-to-aspnet-identity

The user's identity is encrypted and stored in an authentication cookie.   Do not append the userId to the URL which is not secure.

Answer 2

User2071107847 posted

i want to read detailed information about how to filter data with user identity. can you give me link ? i'm new in MVC.

thanks you in advance.

Answer 3

User475983607 posted

i want to read detailed information about how to filter data with user identity. can you give me link ? i'm new in MVC.

thanks you in advance.

I'm not sure what "how to filter data with user identity" means.  Identity is an API and data store for managing user accounts in an ASP.NET application.   

The link is in my previous post gets you started with Identity which includes links to other resources.  Being new I would start by reading the link.

Answer 4

User1520731567 posted

Hi aprangulashvili,

aprangulashvili

i have added in user table username and when creating new record i have username data in it. how can i protect other users to not edit others data.

If your every record with username,for example:

if user1 click the link of user2, you could defind a onclick event in javascript,check if your current user matches username.

If it matches, it will enter link. If it does not match, you could pop up the window and prompt ‘no access’

Best Regards.

Yuki Tao

Answer 5

User-474980206 posted

Mvc identity only support action security. To do what you want, you need to implement data horizontal security. This you write in the data layer, by filtering all data access by the user ID.

Answer 6

User753101303 posted

Hi,

If doing something for the authenticated user you should always get the authenticated user on the server side rather than to send the id for this user client side and then trusting this value in other pages.

For example on this site you edit your profile at https://forums.asp.net/user/editprofile.aspx (not https://forums.asp.net/user/editprofile.aspx?id=1234). This is this page itself that does the lookup based on which user is using this page, so that each user can only see and change his own profile.

With MVC you could use for example a MeController so that  https://site.com/me and https:://site.com/me/edit to change the "current" user. Those actions won't use any parameter that were sent client side but will just directly retrieve who is connected so that each user can edit its own profile only.

Answer 7

User2071107847 posted

yes you guess what i want. please can you give me links or any materials ? i want to read and make it :) thank you

Answer 8

User1520731567 posted

Hi aprangulashvili,

For example on this site you edit your profile at https://forums.asp.net/user/editprofile.aspx (not https://forums.asp.net/user/editprofile.aspx?id=1234). This is this page itself that does the lookup based on which user is using this page, so that each user can only see and change his own profile.

As @PatriceSc said, user only can query and edit himself,user1 can't see and click the link which contains id=user2 or other  parameters,so you need to redesign your database.

For example,you could google user/role manage in mvc online to find information easily.

Or you could use [Authorize] authorize filter to prevent the users without permissions:

https://www.youtube.com/watch?v=xTnXbEiKD8w

Best Regards.

Yuki Tao

Answer 9

User2071107847 posted

Hello Yuki

yes i want to write code where every user has it's own record and another user can't view it. i know that MVC automaticaly creates it. can you post me thic code example ? just controller.

thanks

Answer 10

User1520731567 posted

Hi aprangulashvili,

yes i want to write code where every user has it's own record and another user can't view it. i know that MVC automaticaly creates it.

The main way of writing is based on your database design,MVC cannot automatically create such a too custom structure.

For example:

If you create a Individual User Accounts project,like:

In Index controller,if you want to show data which belongs to the current user,you could query the currently logged in user and Where() to filter data based on current user.

like:

public ActionResult Index()
{
   //query the currently logged in user 
   ApplicationUser user = System.Web.HttpContext.Current.GetOwinContext().GetUserManager<ApplicationUserManager>().FindById(System.Web.HttpContext.Current.User.Identity.GetUserId());
   var currentlist= db.Users.Where(x => x.Id == user.Id).ToList();//filte every user has it's own record
   ....//and then pass currentlist from controller to view in any way which you want
   return View();
}

Best Regards.

Yuki Tao

Answer 11

User2071107847 posted

hello

thank you for response. 

this example is good and understood, but i need protect data when you moving on links by ID and you go to e.g. ID=5 and logged user types in address bar ID=10 and it isn't his record. how to protect situation like this.

Answer 12

User409696431 posted

If you are using Identity, you should never have the ID in the address bar. (That's a general rule for any authorization method.  A user's Id should never be passed in the URL, and a page should never assume that an ID in the URL is the actual user - which means, simply don't put an ID in the URL.)  Fetch the logged in user's identity in the page itself, and filter the data by that user.  (That is what Yuki Tao's post illustrated.) The logged in user can only see and/or edit that user's data.