Silva. As I do not know exactly what is the business rule you need to apply in this case. I’m going to show you three ways to treat what I understand to be your problem. But I can already tell you that the first one does not meet 100% of your problem and is not recommended.
1 - (NOT RECOMMENDED) Assuming the problem is just "hide" the employee id, you can pass the ID_FUNCIONARIO parameter through a POST request. But as I said before, it does not meet 100% of the problem, as it is possible to forge a POST request through software like Fiddler.
2 - In this case I am assuming that your user can access the ~/Funcionario/Edit/ page of several different employees.
In this case you must validate if the user who made the request is allowed to view the page. You should validate this in both the Action that responds to Get requests and the Action that responds to POST requests. If you need to do this kind of validation in many Actions, it is worth creating an Actionfilter for that.
Ex. of validation within the method.
public ActionResult Edit(int ID_FUNCIONARIO)
{
var idUsuario = User.Identity.GetUserId();
if(!ValidarRequisicao(idUsuario, ID_FUNCIONARIO))
{
return View("AcessoNegado"); //
}
}
[HttpPost]
public ActionResult Edit(Funcionario oFuncionario)
{
var idUsuario = User.Identity.GetUserId();
if(!ValidarRequisicao(idUsuario, oFuncionario.Id))
{
return View("AcessoNegado"); //
}
}
3 - Assuming that the Employee and the user are the same thing and each user can only edit their own information:
In this case, just validate if the employee id is equal to the logged user id. Remembering to ALWAYS validate both GET and POST. Ex:
public ActionResult Edit(int ID_FUNCIONARIO)
{
var idUsuario = User.Identity.GetUserId();
if(idUsuario != ID_FUNCIONARIO)
{
return View("AcessoNegado"); //
}
}
[HttpPost]
public ActionResult Edit(Funcionario oFuncionario)
{
var idUsuario = User.Identity.GetUserId();
if(idUsuario != ID_FUNCIONARIO)
{
return View("AcessoNegado"); //
}
}
If none of the three options solve your problem, put more details than needs to be validated for your business rule. Recalling that the former leaves a security breach EASILY exploited.