Reputation: 311
Restrict users accessing other users' data
I'm having a problem of designing a common functionality of hiding information created by a user from other users. As an example,to edit Products created by USER1, normally we use one of following.
- /Product/Edit/Id/1
- /Product/Edit?Id=1
My concern is, if USER2 got the Id, 1, he also able to access Product with Id=1, which was created by USER1. How to restrict USER2 accessing USER1'S data? This may needs to apply for every module in the project. Is there a common way to achieve this? Thanks
Upvotes: 0
Views: 1081
Answers (2)
Reputation: 679
If you are keeping state of what user is accessing the data. You can add a "WHERE CreatedBy = {YOURLOGGEDINUSER}" to this query and throughout your application. Then even if he gets the ID correct no data would be returned.
Upvotes: 2
Reputation: 7434
Assuming that you have enabled some sort of ASP.Net Authentication (The user has proved who they are) then you now need to think about the Authorization (what the user is allowed to do).
It doesn't help that these two terms are often combined or used interchangeably. In MVC a custom AuthorizeAttribute is often used to do both.
For managing records, the current logged on user is accessed via the IPrincipal from HttpContext.Current.User.
The user id is usually set at HttpContext.User.Current.Identity.Name although you may need to do a null check if not every route is authenticated.
Upvotes: 1
Related Questions
- ASP.NET MVC - Limit what users can view/edit
- MVC access restriction for logged in users
- Best way to ensure logged in users only see their data
- How to prevent users from changing other users data in ASP.NET MVC
- Ensuring that only a particular user has access
- MVC 3 - access for specific user only
- restrict user access to controller based on property in object (asp.net mvc)
- Where do I prevent users from accessing other users' data?
- MVC Protecting User Based Data Security
- How do you restrict access to a certain user using ASP.NET MVC?