In asp.net mvc when updating data how does one know that the data beeing manipulated does really belong to the user making the call? -
In asp.net mvc when updating data how does one know that the data beeing manipulated does really belong to the user making the call? -
in asp.net mvc when creating, updating, deleting info how 1 know info beeing manipulated belong user making call?
[authorize] [httppost] public actionresult edit(model model) { // edit info in database }
if user manipulate own info can see , find out info of other users witch public manipulate.
how can sure user says when illustration edit called?
the authorize makes sure user has logged in.
i'm thinking using controller.user.identity.name in update create sure user how created info 1 changes it.
but comes question possible user go around manipulating controller.user.identity.name ?
how can 1 know user says regard this?
there 2 kinds of authorization.
one, "vertical", has helpers provided framework (such authorize
attribute). "vertical authorization" determines if user allowed create request or perform action. knows nil of info of request or action beingness performed, request/action itself.
the second, more "horizontal", doesn't have built-in helpers in framework because it's subjective based on business logic of application. 1 you. "horizontal authorization" determines if user permitted manipulate specific info elements (specific records in data) under specific conditions.
to set simply... if user submits request application (invoking edit action on record example) while framework can tell if user permitted invoke action need manually determine if user permitted edit that specific data.
for example, let's 2 users create records in table. in table there should column indicating user created record. (username, identifier, want link user.) value isn't provided user when inserting data, it's provided code when build record. you'd pull value logged-in identity of user (however track username/id in application).
later, when user attempts edit record in table, need validate user performing action (again, based on logged-in identity) user wrote record (based on info that's in table). or admin, or in other way authorized manage info based on business logic. none of based on values beingness sent client, it's exclusively server-side.
so while client-side code may store identifier record beingness edited, value can changed savvy user. value isn't trusted. if user requests page, edits values, , submits page server-side code utilize page-provided identifier know record user attempting edit, utilize logged-in user identity determine if user allowed edit record. in event user has manipulated form values edit else's record, server-side code should respond error or friendly message denying action.
asp.net-mvc
Comments
Post a Comment