How do I troubleshoot ASP.NET MVC URL IDs?

2

The system URL is in the format

http://localhost:52962/Funcionario/Edit?ID_FUNCIONARIO=7

This in my case is a problem, because if the user changes this 7 to 11 for example he will get the employee 11 (which according to business rule this should not be possible), someone knows how I can hide this ID_FUNCIONARIO of the end of the URL?

    
asked by anonymous 11.07.2015 / 16:52

2 answers

1

Silva. As I'm not sure exactly what business rule you need to apply in this case. I'll show you three ways to treat what I understood to be your problem. But I already added that the first does not meet 100% of your problem and is not recommended.

1 - (NOT RECOMMENDED) Assuming that the problem is just "hiding" the employee id, you can pass the parameter ID_FUNCTIONARY through a POST request. But as I said before, it does not meet 100% of the problem, as it is possible to forge a POST request through software like Fiddler.

2 - In this case I'm assuming that your user can access the ~ / Official / Edit / page from several different employees. In this case you must validate if the user who made the request is allowed to view the page. You should validate this in both the Action that responds to Get requests and the Action that responds to POST requests. If you need to do this type of validation in many Actions, it is worth creating an ActionFilter for this. Eg from the validation within the method.

public ActionResult Edit(int ID_FUNCIONARIO)
{
   var idUsuario = User.Identity.GetUserId();
   if(!ValidarRequisicao(idUsuario, ID_FUNCIONARIO))
   {
      return View("AcessoNegado"); //
   }
}

[HttpPost]
public ActionResult Edit(Funcionario oFuncionario)
{
   var idUsuario = User.Identity.GetUserId();
   if(!ValidarRequisicao(idUsuario, oFuncionario.Id))
   {
      return View("AcessoNegado"); //
   }
}

3 - Assuming that the Employee and the user are the same and each user can only edit the information themselves: In this case, just validate if the employee's id is equal to the id of the logged-in user. Remembering to ALWAYS validate both GET and POST. Ex:

public ActionResult Edit(int ID_FUNCIONARIO)
{
   var idUsuario = User.Identity.GetUserId();
   if(idUsuario != ID_FUNCIONARIO)
   {
      return View("AcessoNegado"); //
   }
}

[HttpPost]
public ActionResult Edit(Funcionario oFuncionario)
{
   var idUsuario = User.Identity.GetUserId();
   if(idUsuario != ID_FUNCIONARIO)
   {
      return View("AcessoNegado"); //
   }
}

If none of the three options solve your problem, put more details on what needs to be validated for your business rule. Remembering that the first one leaves an easily exploited security hole.

    
15.07.2015 / 08:07
0

Dude, the best solution to your problem is to encrypt the pass value and decrypt when receiving on the other page.

link

    
11.07.2015 / 17:14