How to resolve ASP.NET MVC URL ID?

Asked

Viewed 303 times

2

The system URL is in format

http://localhost:52962/Funcionario/Edit?ID_FUNCIONARIO=7

This in my case is a problem, because if the user changes this 7 to 11 for example, he will get employee 11(which according to the business rule this should not be possible), someone knows how I can hide this ID_FUNCIONARIO end of URL?

2 answers

1

Silva. As I do not know exactly what is the business rule you need to apply in this case. I’m going to show you three ways to treat what I understand to be your problem. But I can already tell you that the first one does not meet 100% of your problem and is not recommended.

1 - (NOT RECOMMENDED) Assuming the problem is just "hide" the employee id, you can pass the ID_FUNCIONARIO parameter through a POST request. But as I said before, it does not meet 100% of the problem, as it is possible to forge a POST request through software like Fiddler.

2 - In this case I am assuming that your user can access the ~/Funcionario/Edit/ page of several different employees. In this case you must validate if the user who made the request is allowed to view the page. You should validate this in both the Action that responds to Get requests and the Action that responds to POST requests. If you need to do this kind of validation in many Actions, it is worth creating an Actionfilter for that. Ex. of validation within the method.

public ActionResult Edit(int ID_FUNCIONARIO)
{
   var idUsuario = User.Identity.GetUserId();
   if(!ValidarRequisicao(idUsuario, ID_FUNCIONARIO))
   {
      return View("AcessoNegado"); //
   }
}

[HttpPost]
public ActionResult Edit(Funcionario oFuncionario)
{
   var idUsuario = User.Identity.GetUserId();
   if(!ValidarRequisicao(idUsuario, oFuncionario.Id))
   {
      return View("AcessoNegado"); //
   }
}

3 - Assuming that the Employee and the user are the same thing and each user can only edit their own information: In this case, just validate if the employee id is equal to the logged user id. Remembering to ALWAYS validate both GET and POST. Ex:

public ActionResult Edit(int ID_FUNCIONARIO)
{
   var idUsuario = User.Identity.GetUserId();
   if(idUsuario != ID_FUNCIONARIO)
   {
      return View("AcessoNegado"); //
   }
}

[HttpPost]
public ActionResult Edit(Funcionario oFuncionario)
{
   var idUsuario = User.Identity.GetUserId();
   if(idUsuario != ID_FUNCIONARIO)
   {
      return View("AcessoNegado"); //
   }
}

If none of the three options solve your problem, put more details than needs to be validated for your business rule. Recalling that the former leaves a security breach EASILY exploited.

0

Browser other questions tagged

You are not signed in. Login or sign up in order to post.