User specific information accessible everywhere. How to secure it?

Question

Using ASP.NET MVC 5 and Entity Framework. How can I secure my application so I cant access other users data?

To do CRUD stuff I have index, create, edit, delete methods in FooController so I can use:

/Foo/ 

to view my information I click one and get

/Foo/Details/5

When I type in 3 in the browser I get someone else's information.

/Foo/Details/3

How can I secure this from being accessed everywhere? I use Owin Identity and are logged into the application.

Answer 1

You could write a custom authorization filter by deriving from the AuthorizeAttribute class and inside you could check whether the currently authenticated user has access to the requested resource.

For example:

public class MyAuthorizeAttribute: AuthorizeAttribute
{
    protected override bool AuthorizeCore(HttpContextBase httpContext)
    {
        bool authorized = base.AuthorizeCore(httpContext);
        if (!authorized)
        {
            return false;
        }

        string id = httpContext.Request["id"];
        string currentUser = httpContext.User.Identity.Name;

        return HasAccessToResource(id, currentUser);
    }

    private bool HasAccessToResource(string id, string currentUser)
    {
        // You know what to do here => check in your backend whether the 
        // current user is authorized to access the specified resource id
        throw new NotImplementedException();
    }
}

and then decorate your controllers/actions with this custom attribute:

[MyAuthorize]
public ActionResult Delete(string id)
{
    // if you get that far, the current user is owner of the requested resource
    ...    
}