tags:

views:

98

answers:

3
+1  Q: 

javascript injection asp mvc

i have created the controller :

    [Authorize]
    [AcceptVerbs(HttpVerbs.Delete)]
    public ActionResult Delete(int id)
    {
        try
        {
            db.DeleteObject(db.AEROLINEA.FirstOrDefault(x => x.AEROLINEAID == id));
            db.SaveChanges();
        }
        catch { /* TODO:Display message*/ }

        return View();
    }

if i execute in firebug the next javascript anyone logged could delete an airline even if he doesnt have permissions to delete 

    var action = "/Airline/Delete/" + recordId;

    var request = new Sys.Net.WebRequest();
    request.set_httpVerb("DELETE");
    request.set_url(action);
    request.add_completed(deleteCompleted);
    request.invoke();

HOw can avoid this issue???

+2  A: 

You can filter the the roles:

Example: 

[Authorize(Roles="Admin")]
    [AcceptVerbs(HttpVerbs.Delete)]
    public ActionResult Delete(int id)
    {
        try
        {
            db.DeleteObject(db.AEROLINEA.FirstOrDefault(x => x.AEROLINEAID == id));
            db.SaveChanges();
        }
        catch { /* TODO:Display message*/ }

        return View();
    }
Marwan Aouida  2009-05-20 18:31:36
authorize verify if you have acces to that view? or only verify that you are logged?
 2009-05-20 19:16:32
It checks if the logged in user is in role e.g:"Admin" which means if he has access to that particular action method.But you have to create the role first.
Marwan Aouida  2009-05-20 19:25:43
that would dont work for me because new roles can be created by the user dinamically.but the real problem is: if somebody have access to the delete method him could pass anything in the id and could delete any airline even if it wasnt listed in the View( because he doesnt have permissions over that airline.)
 2009-05-20 20:07:40
Then you can create an action filter that inherits from the AuthorizeAttribute in which you can choose the roles dynamically
Marwan Aouida  2009-05-20 20:16:51
i thinks if i send the entire entity and not just an id, is that possible?
 2009-05-20 20:23:28
A: 

Or use the AntiforgeryToken with a juicy salt at the View..

Erik  2009-05-20 19:23:40
AntiforgeryToken is really interesting , but it doesnt solve my problem, but is nice to know that it exists, thanks
 2009-05-20 20:21:17
A: 

[Authorize] without parameters allows you to indicate that a user must be logged in. You also can specify users/roles, authorized to access your action

eu-ge-ne  2009-05-20 19:30:06

related questions

What's the best way to implement field validation using ASP.NET MVC?
How do I handle page flow in MVC (particularly asp.net)
Entity diagrams in ASP.NET MVC
How do I get rid of Home in ASP.Net MVC?
Can I generate ASP.NET MVC routes from a Sitemap?
ASP.NET Model-view-controller (MVC) - where do I start from?
user controls and asp.net mvc
ASP.Net MVC route mapping
RSS Feeds in ASP.NET MVC
Open Source Licensing Options for ASP.NET MVC Application?
Does the OutputCacheFilter in the Microsoft MVC Preview 4 actually save on action invocations?
MVC Learning Resources
Validating posted form data in the ASP.NET MVC framework
Best mock framework that can do both WebForms and MVC?
Use the routing engine for form submissions in ASP.NET MVC Preview 4
How do you get a custom id to render using HtmlHelper in MVC
MVC Preview 4 - No route in the route table matches the supplied values.
Is there a way to include a fragment identifier when using Asp.Net MVC ActionLink, RedirectToAction, etc. ?
In ASP.NET MVC I encounter an incorrect type error when rendering a user control with the correct typed object
ASP.NET MVC - Is it worth it yet?
Multiple languages in an ASP.NET MVC application?
Is it better to create Model classes, or just stick with generic database utility class?
ASP.NET MVC Without Visual Studio
ASP.NET MVC "CRUD" Database Sample
How to RedirectToAction in ASP.NET MVC without losing request data