tags:

views:

232

answers:

2
Q: 

Asp.net Mvc: Ajax delete multiple users.

Hello, lets say I got multiple users. They all have items linked to their account. They can CRUD those items.

So now my question is: what's the best way to prevent users from manipulating items from eachother.

At first I thought the antiforgerytoken would help. But it doesn't because when the users look at their control panel they got a valid token. So they could just open firebug and do some post requests to delete items.

While writing this I think I know what I should do. I guess I should just check on the server if the user is deleting his items.

I'll post this question anyway to see if I didn't forget anything which would still make it possible to adjust eachother's items

+1  A: 

The only way to be sure is to check on the server that the current user has permission to "do action"

sirrocco  2009-08-05 05:27:56
A: 

You can use the "Roles" mechanizm (this feature ships with asp.net) to check whether a user can delete other accounts.

yosig81  2009-08-05 09:24:48
he was asking if it's enough to do the validation on the client side.
sirrocco  2009-08-05 16:23:59
The way i solved it was by adding an extra parameter to my delete function. So now it takes Id and User. So when i query for the object to be deleted it returns nothing if the item has a different user.
Pickels  2009-08-05 17:25:04

related questions

User Control Public Shared Variables in ASP.NET 1.1 Not Working As Expected
Best place to save user information xp and vista
Training Users In Security
User Groups Management Implemenation for Desktop Application Question (C#) ?
iPhone application : is-it possible to use a "double" slider to select a price range
Getting multiple UI threads in Windows Forms
How do you store/share online your personal documents ?
Using windows authentication to log on to site using c#
What is the best way to add users to multiple groups in a database?
Unix Proc Directory
Have you ever faced an ethical issue when creating an application?
PostgreSQL 8.3 privileges not updated - wrong usage?
Hierarchical Group Permissions Theory/Resources?
Beta Test Guidelines / Agreement
Getting user photo from SPUser using WSS Object model
Do you know a service like uservoice.com for bug reports?
Multiple permission types (roles) stored in database as single decimal
Best Way to Unit Test a Website With Multiple User Types with PHPUnit
Average User Download Speeds
Passing switches to Xcode 3.1 user scripts
How do I add a user in Ubuntu?
Enumerate Windows user group members on remote system using c#
Should menu items always be enabled? And how do you tell the user?
What do you look for from a User Group?
How to make subdomain user accounts in a webapp