Validation in Edit and Delete operations by ID at url

Asked

Viewed 241 times

1

I tested by taking the id and passing via url, normally performs the operation as long as it exists, otherwise error as expected.

EX:

http://localhost:55199/Person/Delete/7

http://localhost:55199/Person/Edit/7

How can I address this issue? See a form of validation, so that if the id parameter is passed via direct url does not work or something like that, otherwise anyone can pass any id and delete important data or edit.

        [HttpPost]
    public ActionResult Edit(Pessoa model)
    {
        if (ModelState.IsValid)
        {
            Pessoa p = new Pessoa();
            p.Salvar(model);

            return View("List", p.Listar());
        }
        else
            return View("Create", model);
    }

    public ActionResult Delete(int id)
    {
        Pessoa p = new Pessoa();
        p.Deletar(id);

        return View("List", p.Listar());
    }
c# asp.net-mvc url
  • 1

    It is not by changing the URL that you will increase the security of the application. You do not have any user management system?

  • At the moment still, I’m studying a way to create yet.

  • This you want, is achieved through Authentication and Authorization, because the validation you need is whether the user is logged in to the system, and whether it is allowed to perform certain action. Other than that, you shouldn’t do delete operations via GET as mentioned in the @Thiagopires reply.

2 answers

0

I advise you not to waste time trying to make the security of your application trying to change the route or something like, thinking of a simplistic security, you can use the Filter of ASP.NET:

Structure

  • Controller Login

    Here you will get the logged in user using: HttpContext.Session.Add("Nome", "NomeUsuarioLogado"); when the user logs into the system. Obs: you will have to create a user table.

  • Creation of Filter

    Create a folder called filter, and create a class called Loginfilter:

    public class LoginFilter : ActionFilterAttribute
{
    public override void OnActionExecuting(ActionExecutingContext filterContext)
    {
        object usuarioLogado = filterContext.HttpContext.Session["Nome"];

        if (usuarioLogado == null)
        {
            filterContext.Result = new RedirectToRouteResult(
                new RouteValueDictionary(
                    new { action = "Index", controller = "Login" }));
        }
    }
}

    This class will be responsible for checking whether the user is logged in or not.

  • Decorate the Classes

    Now just go to your controllers and "decorate them":

    [LoginFiltro]
public class PessoaController : Controller { }

    You can decorate the method method, but in this house the ideal and decorate the whole class.

    In doing so, only people logged into the system will delete and edit the data. You can study more about the filter and create new filters, separating the system by departments for example. You can think about creating a table of logs too, to know who deleted something.

0

This is because you are working with the GET method.

The method GET : 1024 character capability, this method is used when you want to pass little or no information to perform a search or simply pass information to another page through the URL, important to note that the past information will be visible in the URL which makes this method impossible to work with sensitive information.

Methods POST: This method uses the Uniform Resource Identifier (URI) to send information to the server. The URI is not returned to the client, which makes it the safest method to work with sensitive information as it does not expose the data sent in the browser. Importantly, this method has no capacity limit for sending information. POST uses a parallel connection to transit the data.

An example to mark an action as a post

 [HttpPost]
        public ActionResult Index()
        {
            Seu código --- Código
            return View();
        }

In the View you will need to provide some downtime for the Action to be called, Link, Button etc.

1-Note: When you don’t force an action to be accessed in a certain way, you can access it either through the URL (GET), or through a POST request.

2-Note: Ideal is that you have some user control, for example as login to check if the user who is logged in is allowed to perform certain action.

  • In practice I have the application that has the link where the user can click the edit button that will take him to the edit screen, as well as to delete. What I’m not dealing with is the following, when the user clicks the system brings the url to it as in the example I mentioned. but if by chance the face wants to mess with the system it can put in the url another id in front. I wanted to know a way to avoid or validate this.

  • As I mentioned above, to prevent a parameter from being sent through the URL, you should force the method to be POST. The above answer would not solve this case?

Browser other questions tagged c# asp.net-mvc url

You are not signed in. Login or sign up in order to post.