I need to avoid in ASP.Net MVC that a user simply by changing the URL of the page has access to other data.
Example, it can access the page www.dominio.com.br/usuario/1 and need to block that it simply by changing the end ( www.dominio.com.br/usuario/2 ) has access to another user.
These links would access the controller User and Action HttpGet Index(int id) .
You can not block URL . In this case, you have to make the control within your Action. If the logged in user is 1 (per session, cookie or any form of control you have), and try to access the 2, you check if the logged in user is the same one that is trying to fetch the information, for another Action. Example below:
[Authorize]
public ActionResult Usuario(int id)
{
var usuarioLogado = UsuarioServico.SessaoUsuarioLogado();
// Sua logica de validação, eu uso session
if (id != usuarioLogado.UsuarioID)
{
return RedirectToAction("Sem Acesso", "Usuario");
}
using (var db = new Conexao())
{
var usuario = db.Usuario.Find(id);
return View(usuario);
}
}
public static UsuarioLogadoDTO SessaoUsuarioLogado()
{
return HttpContext.Current.Session[Constante.sessaoUsuarioLogado] as UsuarioLogadoDTO;
}
I think the best option would be for you to change the way you access it a little, if the user can only see your own data then maybe you would not even go to the action id. How and your login system, if it is controlled by session when calling this action you could take information from the session to perform the information search, so whenever the user accesses this action he will only have access to his own information. >