Reputation: 11
View Model Identifier
I am attempting to get started on a new ASP.NET MVC4 project and have a few questions regarding View Model security.
Say I have a class to represent application users
public class User
{
public int UserID { get; set; }
public string Name { get; set; }
}
And another class to represent tasks for an application user
public class UserTask
{
public int TaskID { get; set; }
public int UserID { get; set; }
public string Task { get; set; }
}
My coworker seems to think that the View Model representation of the UserTask class SHOULD NOT contain the UserID for security purposes (to prevent people tampering with the UserID).
Example
public class UserTaskViewModel
{
public int TaskID { get; set; }
public string Task { get; set; }
}
I can not for the life of me find any documentation supporting this claim and haven't been able to get a straight answer.
Is this a common thing? Should the ViewModel "hide" specific properties from the View for security purposes? I understand if the data comes from Model Binding it could be tampered with, just trying to figure out what is the preferred method/best practice for this scenario.
Upvotes: 1
Views: 54
Answers (1)
Reputation: 9881
Exposing the UserId could be a potential security concern, because:
- you are revealing information and
- it can be tampered with.
If you are listing the tasks for different users, then you will need to know the user for each task. I guess you could obfuscate the UserId, or when they interact with the task (edit/delete), you can simply check that the user has access.
If the user is only allowed to interact with their own tasks, then there is no need to include the userId as you already know who the user is.
Upvotes: 1