For example: /admin/Edit/1006 Is there any way to hide this id? Well, any malicious user can change the value and end up finding a user. I know that you should check the controller to see if the user can edit, but only by using ActionLink. Is there any way to hide it? Or at least "hinder" the life of the individual who is trying to access data that he is not allowed. I thought about using GUID, but the URL gets too big. Is there any standard, or recommendation on the ActionLink parameters?
Hide ActionLink parameter
2
asked by anonymous 04.01.2015 / 01:04
1 answer
3
There are some techniques you can use.
Slug
Slug is a descriptive identifier of the registry. For example, this question has slug esconder-parametro-do-actionlink . The problem is that for this to work correctly the system must ensure that this identifier is unique. Notice that so far in the SO uses a slug composed of Id + description.
Implementing a slug-based route requires reimplementation of MvcRouteHandler and registering it in the route table. This answer teaches you how to do this .
Locator
Another tactic is to generate a locator for the record, composed of a random%% with at least 6 characters (such as flight locators and road passages, for example). In this case, it would suffice to parameterize string with a locator and treat invalid locators.
public ActionResult PesquisarPorLocalizador(String localizador)
{
var registro = contexto.Registros.FirstOrDefault(x => x.Localizador == localizador);
if (registro == null) return View("NotFound");
// Restante da lógica
}
External Identifier
Another way would be to generate a "second ID" for each record, following some order or policy. The solution is very similar to the locator solution. The Action would receive this external Id as a parameter, preserving the internal Id of the registry.
04.01.2015 / 01:28