0

i have a problem i am building a site in asp.net mvc3 ,
in which i made my several controllers all of them are authorized
because i don't want that unauthorized user access that controller.
Let suppose i have a controller and 2 methods in it as following 

using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.Mvc;

namespace Com.health.Controllers
{
    [Authorize]
    public class MyfirstController : Controller
    {
        public ActionResult Index()
        {
            return View();
        }        
        public ActionResult seeyourDetails(int id)
        {
            return View();
        } 
    }
}

now let suppose our method seeyourDetails tells any user his account information , but the problem is this that when user access this method at that time the URL is http://www.exampple.com/Myfirst/seeyourDetails/10 , where 10 is current user id by which i show him his details , but what should i do, if a persons login into my site and he access this URL and manually add 10 or any other number in URL my controller will show him all details regarding that user .

Note : I can do this in one place or two places but i need some solution that i implement in one place and it effects in my whole application . Thanks

Improve this question

4 Answers 4

Reset to default
2

The only way I see is to check if the user id from query string is the same with the user id logged in. This is more of a patching things solution, the proper way is to change how the app works. Something like this, you still need to modify it a bit.

[AttributeUsage(AttributeTargets.Method|AttributeTargets.Class, AllowMultiple = false)]
public class  MyAuthorizeAttribute : AuthorizeAttribute
{
    public override void OnAuthorization(AuthorizationContext filterContext)
    {
        base.OnAuthorization(filterContext);
        var ctx = filterContext.HttpContext;
        var name = ctx.User.Identity.Name;

        //get user id from db where username= name   

        var urlId = Int32.Parse(ctx.Request.Params["id"]);
        if (userId!=urlId)
            filterContext.Result = new HttpUnauthorizedResult();
    }
}
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

2

first the Authorize is very powerful and granular. You can use it at class level and at method level. You can also set which Roles have access to to it.

[Authorize]
public class MyFirstController : Controller

You're basically saying any user that has been authenticated, you can also use 

[Authorize(Roles="Administrator")]
public class MyFirstController : Controller

Giving you a finer control. Here you're saying only user in the Administrator role are allowed to access these contents. Now for the SeeYourDetails Action you shouldn't really be be sending the user ID. If the user is currently logged in, you can access his/her details like this:

var current = Membership.GetUser();

So you're all code would look something like this:

using System;
using System.Web;
using System.Web.Mvc;
using System.Web.Security;
using System.Collections.Generic;


namespace TestArea.Controllers
{
    [Authorize]
    public class MyFirstController : Controller
    {

        public ActionResult Index()
        {
            return View();
        }

        public ActionResult SeeYourDetails() 
        {
            //get the currently logged in user
            var current = Membership.GetUser();
            //you can always do something else here
            return View(current);
        }


    }

} More info on the Authorize attribute http://msdn.microsoft.com/en-us/library/system.web.mvc.authorizeattribute.aspx

last, but not least. If you gonna program in C# you should respect it's notation :-) Hope this helps

Improve this answer

Comments

0

you dont have to get the user id from querystring parameter. You have to set to Session of authenticated user infos. And get it from session when you need to know the authenticated user

Improve this answer

2 Comments

but in this case i have to change lot of things in my app , is there any solution for current situation ?
you have to know the authenticated user in server-side. You can get the user infos from db by authenticated username.
0

What you are trying to say is Data Authorization, the user can see only his details after logged into the site.

You can create a custom Authorize filter as said by @MikeSW in the authorization filter check if the logged-in user's id is same as the id passed in the query string and for that you have to store the user id in session.

Since it is a filter you can apply at action level or controller level or global level too.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.