Databases
StackOverflow2013
Postsdbo
POAuthorizeAttribute MVC - restrict access to user created content
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POAuthorizeAttribute MVC - restrict access to user created content
    primarykey
    data
    text
    <p>So I read about how implementing your own authorization routines are bad!</p> <p><a href="http://www.nashcoding.com/2011/02/05/using-the-forms-authentication-membership-provider-on-appharbor/" rel="nofollow">http://www.nashcoding.com/2011/02/05/using-the-forms-authentication-membership-provider-on-appharbor/</a></p> <p>And I got scared, because I've been implementing my actions as such (example, preventing access to account details if authenticated user is not the logged in user)</p> <pre><code>public ActionResult DisplayAccount(int someid){ Account a = context.Accounts.Single(a =&gt; a.id == someid); // currentUserId() returns userid from FormsAuthentication if (!a.owner == currentUserId()){ /* Not Authorised! */ } } </code></pre> <p>Which apparently means it will break if ASP decides to cache my action (so the action doesn't even get executed).</p> <p>So I'm now looking into using AuthorizeAttribute to do what I need to do, which is </p> <ul> <li>prevent access to an action if not authenticated</li> <li>check if authenticated user has access to the retrieved resource</li> </ul> <p>However whenever I think about it, I can't think about how to implement the 2nd point. Roles don't work because its on a site wide level, but within the application there users have roles as well (e.g. Owner, Moderator, Contributor, User etc.), and they only have these roles within their respective parts of the application (e.g. owner of thread, contributor to wiki, moderator of forum etc.)</p> <p>I have run into several examples of overriding AuthorizeCore. I can sort of imagine creating multiple AuthorizeAttribute subclasses for each resource I have (luckily not many), But just by looking at it, does that mean I have to query the database everytime I hit that action to ensure that the logged in user should be able to access that data, then query the database in my action to get the model, instead of doing that in my query?</p> <p>So my questions are </p> <ul> <li>am I getting too worried about caching too much? Will any of the following happen <ul> <li>website caches user A details, which is rendered on user B's screen?</li> <li>website caches admin version of a page (with edit controls), and normal user sees cached version?</li> </ul></li> <li>Using AuthorizeAttribute is a given, but how do I achieve what I need to do in point 2 without having to hit the database prior to the Action? Or what is the best way to achieve it in any case.</li> <li>Or do I only use AuthorizeAttribute to determine if the user is logged in, and do other checking logic in my action?</li> </ul> <p>Anyway, I hope this post isn't treading on any old paths (I couldn't find anything on this that I found definitive)</p> <hr> <p>Edit: I guess, if I don't enable caching this problem wouldn't occur, is this correct?</p> <hr> <p>Edit: for now, I am going to going to use vanilla AuthorizeAttribute, then check resource level access in my actions, then make sure I don't use caching for any authenticated actions. Hopefully will get more answers for this over the week.</p>
    singulars
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. PTQuestion
    1. USDaryl Teo
    1. USDaryl Teo
    plurals
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. PO
      singulars
      1. PTAnswer
    1. VO
      singulars
      1. POAuthorizeAttribute MVC - restrict access to user created content
      1. This table or related slice is empty.
      1. VTUpMod
    2. VO
      singulars
      1. POAuthorizeAttribute MVC - restrict access to user created content
      1. This table or related slice is empty.
      1. VTUpMod
    1. This table or related slice is empty.
 

Querying!

 
Guidance
A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload