Hide Actionlink parameter

Asked

Viewed 1,195 times

2

For example: /admin/Edit/1006 Is there any way to hide this id? So any malicious user can change the value and end up finding a user. I know you have to check the controller to see if the user can edit or not, but only by talking about Actionlink. Is there any way to hide this? Or at least to "make life difficult" for the individual who is trying to access data that he is not allowed to. I thought about using GUID, but the URL is too big. There is some standard, or recommendation on the parameters of Actionlink?

1 answer

3


There are some techniques you can use.

  1. Use a Slug;
  2. Use a finder;
  3. Use another way to locate the record only, such as a generated Id.

Slug

Slug is a descriptive identifier of the record. For example, this question has how Slug esconder-parametro-do-actionlink. The problem is that for this to work properly the system must ensure that this identifier is unique. Note that so far in the OS is used a Slug composed of Id + description.

Implement a route based on Slug requires a reimplementation of MvcRouteHandler and record it in the route table. This answer teaches you how to do this.

Locator

Another tactic is to generate a locator for the record, composed of a string random of at least 6 characters (as well as flight locators and road passages, for example). In this case, it would be enough to parameterize the Action with a locator and treat invalid locators.

public ActionResult PesquisarPorLocalizador(String localizador)
{
    var registro = contexto.Registros.FirstOrDefault(x => x.Localizador == localizador);
    if (registro == null) return View("NotFound");

    // Restante da lógica
}

External Identifier

Another way would be to generate "a second id" for each record, following some order or normative. The solution is very similar to the solution per finder. A Action would receive as parameter this external Id, preserving the internal Id of the record.

  • 1

    Thanks. I think a finder and a controller check should be enough.

Browser other questions tagged

You are not signed in. Login or sign up in order to post.