dennis
Reputation:
javascript injection asp mvc
i have created the controller :
[Authorize]
[AcceptVerbs(HttpVerbs.Delete)]
public ActionResult Delete(int id)
{
try
{
db.DeleteObject(db.AEROLINEA.FirstOrDefault(x => x.AEROLINEAID == id));
db.SaveChanges();
}
catch { /* TODO:Display message*/ }
return View();
}
if i execute in firebug the next javascript anyone logged could delete an airline even if he doesnt have permissions to delete
var action = "/Airline/Delete/" + recordId;
var request = new Sys.Net.WebRequest();
request.set_httpVerb("DELETE");
request.set_url(action);
request.add_completed(deleteCompleted);
request.invoke();
HOw can avoid this issue???
Upvotes: 1
Views: 244
Answers (3)
eu-ge-ne
Reputation: 28153
[Authorize] without parameters allows you to indicate that a user must be logged in. You also can specify users/roles, authorized to access your action
Upvotes: 0
user434917
Reputation:
You can filter the the roles:
Example:
[Authorize(Roles="Admin")]
[AcceptVerbs(HttpVerbs.Delete)]
public ActionResult Delete(int id)
{
try
{
db.DeleteObject(db.AEROLINEA.FirstOrDefault(x => x.AEROLINEAID == id));
db.SaveChanges();
}
catch { /* TODO:Display message*/ }
return View();
}
Upvotes: 2
Related Questions
- Server Side JavaScript Code Injection Attack
- Securing against JS injection with ASP.NET MVC
- Avoiding script injection in input fields
- inject javascript in head or body
- Using JavaScript to inject HTML
- handle javascript injection in asp.net mvc
- injecting javascript in mvc razor3 using values from the server side variables
- Questions about Javascript injection
- Javascript injection Prevention: where do I start?
- Injecting a string into a javascript on an asp.net mvc view