Control Level Security in ASP.Net for server side and client side controls

Question

I have a software application in ASP.Net, I have different buttons and link labels, each button has classes, for example the add buttons have btnAdd as their classes, and some of the labels are using similar classes. What would be the best approach if i want control level security, for example a user with ID =2 should not be allowed to click on AddNew button of some ABC page.

My Solution: I have several solutions in mind, for example to store the names of the classes in a table and link that table with Pages Table and bring data into Hidden text field and then on page load we will check either this control is allowed or not. Like btnAdd is allowed to be visible and btnSearch is not.

Please find the image attached for further clarification.

Let's say we have permissions in hidden field in some format. But will it be the right approach of doing this way? please suggest some better solution.

Answer 1

Use Razor to generate the buttons

You could structure your Razor view to incorporate a view model containing the user's permissions. Then you could add each button to the page based on whether or not the user has permission to perform that action.

Let's say you have your model (we will call it Users) contain a permission set that you can access via Users.UserPermissions. Your UserPermissions property might have a CanAdd and a CanSearch boolean. You'd populate this model with the data from your database regarding the user in question, and then render the page like this:

<div class="container">
    @{
        if (Model.UserPermissions.CanAdd)
        {
            <button class="add">Add</button>
        }

        if (Model.UserPermissions.CanSearch)
        {
            <button class="search">Search</button>
        }
    }
</div>

Then check your permissions server-side

This means the button will only get added to the interface if the user has permission to perform that action.

[HttpPost]
public ActionResult Index(UserViewModel model)
{
    var user = User.GetByEmail(userEmail);

    if (user.CanAdd)
    {
        myClass.Add(model.ThingsToAdd);
    }

    if (user.CanSearch)
    {
        myClass.Search(model.ThingsToSearchFor);
    }

    return View()
}

When the users submits the form, the program is also checking the user's permissions on the server to ensure teh validity of the request. Even if an attacker managed to find a sneaky way to perform a function they aren't allowed to perform, the program can still limit the attacker from performing said action by checking the data being returned, and verifying that the user is actually allowed that functionality.

It's the equivalent of trying to withdraw money from a bank - the teller should check to make sure you have some money in the bank first before they hand you any cash.

What you should NOT do

Absolutely never rely on hidden fields or objects returned from the client to determine a managed variable result. You should always assume that data sent from the client is unsafe or tampered. Run your checks, sanitise your inputs, and try to verify everything the client sends you is true.

Things like permissions to perform actions should always be checked server-side and never anything else.