Authorization based on creator
Lets assume we have an ASP.NET MVC blogging app that allows users to
register and then blog on the site. Now lets assume that the blog edit
page takes in the blogId and then presents the information related to the
blog. In the action method how can we ensure that the BlogId that is
received by the action method is the one that the logged in user has
created? We can have a scenario where someone could modify the URL and put
in an ID for a blog that does not belong to the logged in user. What is
the best way of preventing this?
One option that I can think of is getting the creator of the blog in the
action method and then checking it against the ID of the logged in user to
ensure that the user has access to edit that specific blog. Can this be
achieved by some kind of filter rather than having to specify this in the
action method ?
No comments:
Post a Comment