Reputation: 3945
How to prevent users from changing other users data in ASP.NET MVC
At the min, any user can book a holiday for ay employee,
I have added [Authorization] to the controllers, and @if (User.Identity.IsAuthenticated)
in the layout so only logged in users can view the pages. But how can I go about only allowing users to book a holiday for them selves
something like if loggedInUserID(is this assigned automatically when a user is created?) =currentPersoID, although this is only a guess and I would prob have to assign the same loggedInUserID to personID.
EDIT:
[HttpPost]
public ActionResult Create(Holiday holiday)
{
var holidays = db.Holidays.Include("Person");
HolidayList model = new HolidayList();
//run through person
foreach (Person person in model.PList4DD)
{
//if Logged in user = person name
if (HttpContext.User.Identity.Name == person.Name)
{
//allow
if (ModelState.IsValid)
{
db.Holidays.AddObject(holiday);
db.SaveChanges();
return RedirectToAction("Index");
}
}
else
{
return RedirectToAction("Index");
}
}
model.PList4DD = db.People.ToList();
model.HList4DD = db.Holidays.ToList();
ViewBag.Id = new SelectList(db.People, "Id", "Name", holiday.Id);
return View(holiday);
}
Thanks
Upvotes: 0
Views: 1677
Answers (3)
Reputation: 82096
Assuming your view is only ever called from a restricted action, adding [Authorize] should be enough, there is no need to do @if(User.Identity.IsAuthenticated) in the view itself as the user should never reach it.
As for your actual problem, I would create view model for your booking view which contains the username (or id) of the current user, for simplicity take the Username e.g.
public class BookingViewModel
{
[HiddenInput]
public Guid Username { get; set; }
...
}
Then in your view when you attempt to post back to the server you can validate whether the booking is valid e.g.
[HttpPost]
public ActionResult CreateBooking(BookingViewModel bookingModel)
{
if (bookingModel.UserId == User.Identity.Name)
{
// proceed with booking
return View("BookingComplete", bookingModel);
}
else
{
// add model state error
}
return View(bookingModel)
}
Upvotes: 1
Reputation: 34895
So you need to add additional check against the username or userid:
I would assume that the model you are returning to the View is of type employee.
public class Employee
{
public int Id { get; set; }
public string UserName { get; set; }
}
public ActionResult Home(int id)
{
Employee model = // Get employee by id
return View(model);
}
Then inside your view you can check the username:
@model Employee
@if (User.Identity.IsAuthenticated && User.Identity.Name == model.UserName)
Upvotes: 1
Reputation: 4519
In your controller, there is HttpContext.User.Identity.Name
It will give you the username of the currently logged in person. Maybe that might be a good place to start?
Upvotes: 3
Related Questions
- Restrict users accessing other users' data
- ASP.NET MVC - Allow Users to only modify their own data
- Authorization of data in MVC ASP.NET
- MVC C#: Authenticating current user has rights to view/update data
- How to allow users to only edit their Data
- Limiting data modification by User ASP.NET MVC4
- Securing access to editing user details
- How to only allow the user who "owns" the data to edit it?
- MVC Protecting User Based Data Security
- How to prevent a users editing other profiles other than own in MVC.NET Web Application?