Reputation: 1425
MVC Routes - limiting direct browsing to action methods
I was wondering how I could stop users from accessing an action method directly through browsing to the url. I have a ViewUser action method in which an ID is passed from the url. Right now the user can substitute the ID with a different one and the action method will execute. Right now I don't have a specified route set up. Is it possible to only allow access to the action method from ActionLinks only?
Upvotes: 0
Views: 105
Answers (2)
Reputation: 8237
For obvious reasons there is no way to restrict access to a url from specific <a /> tags. You should instead use something like forms authentication and check if the currently authenticated user has the rights to do what he/she requests.
Upvotes: 1
Reputation: 2141
Use UUID instead of id. UUID.randomUUID(). If that is not an option, think about passing in an authentication token.
Upvotes: 1
Related Questions
- MVC How do I prevent calling Action Method by it's name while only allowing to call it via routing
- Use a specific route with Url.Action
- Prevent user from explicitly going to a MVC page
- How to route everything to a specific action except About
- MVC Route specific URL to specific action?
- remove controllers and actions from URL with MVC routes
- ASP.NET MVC - Ignore specific route
- Do not display Action in URL - Routing
- ASP.NET MVC 3 – How can I route directly to an action
- ASP.NET MVC how to not make route for every action