ansaurus

Question

Answer 1

+23 A:

Maybe you could organize the controller action such that the URL is more like http://localhost/person/editme and it displays the edit form for the currently-logged-in user. That way there's no way a user could hack the URL to edit someone else.

Matt Hamilton 2008-12-24 07:03:51

Answer 2

+5 A:

Matt is right.

What the authorisation is for is to show that they're allowed to perform that function - what you're trying to do is say whether they can perform the function for that particular ID.

So two solutions:

Like Matt said, make an action that takes no ID, but looks up the current logged in user from the session information, and retrieves them.
Make an action that takes an ID, but only allow administrators access - so they can modify other users information if required.

But to answer the question, the Authorisation is only to say "Yes, this person can use the modify user action", not based on the parameter entered.

The other way is that you could make it check that the user retrieved == the current user, or redirect to another action saying that they cannot edit that user - but it'd be better just to provide an action that doesn't take an id, and just gets the current logged in user.

crucible 2008-12-24 07:25:29

Answer 3

A:

You could have no Authorize attribute and check the if the user should be allowed to access there page then either redirect or allow the page to be displayed.

Schotime 2008-12-24 11:50:14

Answer 4

+10 A:

A more elegant solution would be to write your own Authorization action filter, either by extending [Authorize], or implementing IAuthorizationFilter, as follows:

public class AuthorizeOwnerAttribute: FilterAttribute, IAuthorizationFilter
{
    #region IAuthorizationFilter Members

    public void OnAuthorization(AuthorizationContext filterContext)
    {
        // add logic here that compares the currently logged in user, to the owner of the profile that is being edited
        // get currently logged in user info from filterContext.HttpContext.User.Identity;
        // get profile being edited from filterContext.RouteData or filterContext.Something
    }

    #endregion
}

I'm not sure on what the actual logic would be that goes into the OnAuthorization method, but my comments should give you a starting point. You'd have to Google to find out more - how to redirect the user to a different view, or whether to throw an strongly typed exception that is handled somewhere else (maybe in a [HandleError] attribute).

Saajid Ismail 2009-06-25 13:41:32

How to implement your own authorization action filter has been answered many times on SO. For example, see http://stackoverflow.com/questions/427598/customizing-authorization-in-asp-net-mvc

bzlm 2009-06-25 14:02:09

Answer 5

+7 A:

My $.02:

Authorized & authenticated are two different things. Simply put, the question is can you do this thing are you supposed to do it? You can pick your friends, you can pick your nose but you can't pick your friends nose! There's no need to check authorization if every role can do it (user has hand and a nose). Have a Post method for users to get to their own profile and test the profile id w/the form's hidden values or redirect (not your nose, go away).

Have a Get method for editing others profiles and just check for the admin role here - (I'm a doctor, I'm authorized to stick things up your nose)...

James Fleming 2009-06-28 12:11:34

Hilarious post.

Roger Rogers 2010-03-24 00:38:40

Answer 6

+2 A:

Solution for this problem: http://nerddinnerbook.s3.amazonaws.com/Part9.htm

"Using the User.Identity.Name property when Editing Dinners

Let's now add some authorization logic that restricts users so that they can only edit the properties of dinners they themselves are hosting..."

Wojtek 2010-02-22 13:20:25

ansaurus

tags:

views:

answers:

asp.net mvc authorization using roles

related questions