ASP.NET MVC Check if user can perform action

Question

I have a collection of posts created by separate users in my database.

• Each user can create posts and edit only their posts.

• To edit their post, users navigate to a page "Posts/EditPost?PostID=x" where x is the post ID.

• The "Posts" controller has an '[Authorize]' attribute and the GET part of the action checks to see if the post was made by the user.

If the user did indeed make the post, it renders the view. In the view there is a hidden field with the "PostID".

When the user submits the form, the POST part of the action rechecks if the PostID matches a post created by the current logged in User.

Is there a better way to accomplish this without having to double check if the user has access to edit the post, or is this the best way?

Answer 1

I had the same problem but I solved it by removing the ability to edit at the View. Once the ability to edit was removed I could kinda assume that if an edit was made then the user had rights.

I did this because others, moderators, also had to be able to edit the posts.

Clearly this might not work on the internet because you could get around the security but on the company intranet it works a treat.

I still think I should check at the business layer for the user rights but they need to give me more money and time for that. :)

Answer 2

That actually sounds pretty good to me. The only thing I could suggest if you didn't want to check the user twice would be to use something like an anti-forgery token that you render with the view. Since you only get to the view on if you are allowed to edit the post, at this point I would think all you need to do is check to see if the POST came from your site.