Parameter query string Asp.net MVC

Question

Parameter query string Asp.net MVC

Asked 8 years, 8 months ago

Viewed 515 times

2

I need to avoid in ASP.Net MVC that a user simply changing the page URL has access to other data.

Example, it can access the page www.dominio.com.br/usuario/1 and I need to block him from simply changing the ending (www.dominio.com.br/usuario/2) have access to another user.

These links would access the controller User and a Action HttpGet Index(int id).

Since your verification has to be done on top of data, I see no alternative but to do an if and check the Action id with the logged-in user id and fire an Exception if it doesn’t. Usually the rules are made on top of actions or controllers, as yours is done on top of data you will need to check this inside the controller and fire the Exception.

– Thiago Silva

2016/03/24 at 12:29

2 answers

Browser other questions tagged c# asp.net-mvc querystring

You are not signed in. Login or sign up in order to post.

by Tiedt Tech • **2,427** points · Answer 1 · 2016-03-30T13:12:50+00:00

You can’t block the URL. In this case, you have to do the control within your Action. If the logged-in user is the 1 (by Session, cookie or any form of control you have), and try to access the 2, you check if it is the logged-in user is the same who is trying to fetch the information, if it is not you go to another Action. Example below:

[Authorize]
public ActionResult Usuario(int id)
{
    var usuarioLogado = UsuarioServico.SessaoUsuarioLogado();

    // Sua logica de validação, eu uso session
    if (id != usuarioLogado.UsuarioID)
    {
      return RedirectToAction("Sem Acesso", "Usuario");
    }

    using (var db = new Conexao())
    {
        var usuario = db.Usuario.Find(id);
        return View(usuario);
    }
}

Function Login User Login

public static UsuarioLogadoDTO SessaoUsuarioLogado()
{
    return HttpContext.Current.Session[Constante.sessaoUsuarioLogado] as UsuarioLogadoDTO;
}

by Edmar Munhoz • **1,057** points · Answer 2 · 2016-03-30T12:52:14+00:00

I believe that the best option would be for you to change a little the way you access it, if the user can only see their own data then maybe you wouldn’t even pass the id to the action. How and your login system, if it is controlled by session when calling this action you could pick up session information to perform the information search, so whenever user access this action he will only have access to his own information.