CODEWITHSUNDEEP
asp.netentity-frameworkasp.net-web-apiodatabreeze
Qaiser Iftikhar
Qaiser Iftikhar

Reputation: 13

Breezejs restricting access to entities

I've recently started to investigate Breezejs. I'm working on a system which will be used by multiple customers and I can't expose one customers data to another. How does Breezejs ensures that or what is the standard/recommended way of implementing this.

Say my entities are

Customer with properties Id, Name

Registered Emails with properties Id, Email, CustomerId

I keep the CustomerId in session when the user logs in, I don't allow user in my UI to send the customer id but how can I stop a malicious user from hand crafting a request and accessing other customers information?

Upvotes: 1

Views: 186

Answers (2)

Oliver Kane
Oliver Kane

Reputation: 898

That's certainly the simplest, however, it has NO way to protect against someone deleteing/updating the very same restricted entries as this query isn't taken into account during a save. Only the EntityType gets sent to SaveChanges.

Upvotes: 0

Jay Traband
Jay Traband

Reputation: 17052

Simplest way is to return your IQueryables on the server with a customer id restriction. Something like this:

[BreezeController]
public class NorthwindIBModelController : ApiController {
    ...
  // initialize this from your session data  
  private var currentCustomerId;

  [HttpGet]
  public IQueryable<Customer> Customers() {
    return ContextProvider.Context.Customers.Where(cust => cust.Id == currentCustomerId);
  }

  [HttpGet]
  public IQueryable<Email> RegisteredEmails() {
    return ContextProvider.Context.Emails.Where(email => email.CustomerId == currentCustomerId);
  }
}

Does this make sense?

Upvotes: 1

Related Questions