Reputation: 2066
In an old mvc 1 project I'm adding an option for the users to edit their details. I'm not using Forms Authentication (mainly because I shouldn't change the previous code massively) so I'm trying to think of the best way to only allow the user currently logged to edit his details.
For the moment, given the URL is http://localhost:61681/users/edit?userId=29 other user just have to change the userId to edit others' details.
The way I can just think of is checking inside the method if the userId matches the parameter, but I don't know if there are better ways to do it.
Let me apologize cause I understand the question shows my very basic knowledge.
Thanks
Upvotes: 1
Views: 105
Reputation: 32367
if( currrentUser.Id != userId )
return Redirect( "http://example.com/access-denied" );
If you already know the logged in user then just add a check to see if it matches the id of the user to be edited.If not, don't let them.
Upvotes: 1
Reputation: 86525
Why not let the user id you're checking userId
against, be the parameter? If the edit page isn't meant to let anyone edit anyone else's info, then there's no reason for a userId
parameter at all -- just let it edit the user that made the request.
Upvotes: 3