block URL ID

Asked

Viewed 193 times

-1

How do I block the ID of the URL parameter of a system I own, for example, when clicking on a record it shows as/Change/12 url where 12 would be the id for example, but if the user changes 12 for 13 it can edit the record 13, how do I block for him to edit only the record that he clicked, in case 12, how to block so that it is not replaced by the url?

Action Code in Controller:

[HttpGet]
[ActionName("Analisar")]
public async Task<ActionResult> Editar(long id)
{


    var model = new AssociacaoCooperativaViewModel() { Id = id };

    if (model.Id > 0)
    {
        try
        {
            var associacao = await AssociacaoCooperativaApplicationService.ObterAssociacaoCooperativaPorIdAsync(model.Id);
            model = await AssociacaoCooperativaTransformer.TransformGravarAsync(associacao);
            model.Action = this.ControllerContext.RouteData.Values["action"].ToString();
            model.Situacao = EnumSituacaoAssociacaoCooperativa.EmAnalise;
        }
        catch (BusinessException e)
        {
            HandleBusinessException(e);
        }
        //catch(Exception e)
        //{
        //    this.ErrorMessage = e.Message;
        //}

    }

    await this.CarregarGravarViewModelAsync(model);

    return View(model);
}

thank you in advance

asp.net-mvc

  • If the case is permission to edit, it would not be more interesting that in the "action" of the "controller" you check if the user has the privilege to modify this record?

  • it has the privilege to edit, but can only edit his record

  • Then you can check if the record is his and warn when it is not.

  • I suggest you read the community guidelines, to ask a good question.

  • @Sylviot he can edit any record, however he cannot edit by changing the URL, if he wants to delete he has to do the search again.

  • You can do nothing to stop the customer, the customer of your service is not under your control. If the user is allowed to modify record 12 and 13, let him modify it (if he changed "in hand" the url he knows that the result will be different than expected. If the user is only allowed pro 12 and not pro 13 it is the service’s obligation to check this on the server. The server should never trust the data sent by the client and should check everything on the server side.

  • @But, it has permission, it can change any record, only you need to change it by clicking it, if you pass through the url you cannot change. Pq is giving a lot of trouble for incredible that seems to user say click on a record in the list to change, then it changes the url and ends up changing another record and messing up the site.

  • I don’t get it. Why do you mess with the system? You can log to the server which url was called by which user, hence it could not claim to have tried to change the 12 and called by passing id 13.

  • 1

    @Standalone in your case would be more efficient you perform the critical operations through Posts methods, in GET methods you will always pass the information through the URL

  • @Standalone you can then check in the edit action if the "referrer url" is different from an edit url... so it can’t come straight from the edit.

  • @Killdary Aguiar de Santana These measures would be "palliative": the customer can always change both the content and the header of the post. There’s no way to control what the customer sends.

  • @Standalone if my answer helped you, don’t forget to mark it as accepted. Thank you!

Show 7 more comments

1 answer

3

From what I understood of your question, the user has permission to register, you just do not want him to be accessing the screen editing parameter in the URL, based on this I think of the following solutions.

Solution 1 - Guid ID

The first solution I imagine is you using a code Guid as the record identifier parameter. In order not to have too many changes in the structure of your database, you could create a new field in your table that will be of the type string/varchar that will be the ID Guid record, thus in the URL you get the ID on Guid so the user will never be able to hit another Guid valid and enter another record. And you would not need to change the ID field long already existing generating a major change in the BD.

Your URL would look in this template url/editar/0b2518ca-2100-401f-a810-ecf9a50f4e4d

You also need to create something to generate the Guid for existing records and change the creation path of the record to generate the Guid also.

To generate the Guid in C# just use the following command: Guid.NewGuid();

Solution 2 - Request page via POST

The second solution I see would be in your record listing, you call an Edit route via POSTand on this route set the ID in a ViewBag or TempDataand execute a RedirectToActionsending to Edit route GET, and if on this route there is no data in the Viewbag informed return a BadRequest.

As in the example below:

[HttpPost]
public async Task<ActionResult> RequestEdit(long id)
{
    TempData["IdRegistroSendoAlterado"] = id;

    return RedirectToAction("Edit", new { id});
}


[HttpGet]
public async Task<ActionResult> Edit(long id)
{
    if (TempData["IdRegistroSendoAlterado"] == null || 
        id != long.Parse(TempData["IdRegistroSendoAlterado"].ToString()))
        return new HttpStatusCodeResult(HttpStatusCode.BadRequest);


    // carregar seu model aqui

    TempData["IdRegistroSendoAlterado"] = id; //Coloca o id denovo na TempData para caso o usuario de F5
    return View();
}

Browser other questions tagged asp.net-mvc

You are not signed in. Login or sign up in order to post.