Validation in operations Edit and delete by ID in the url

1

I tested taking the id and passing via url, normally performs the operation, as long as it exists, otherwise the error as expected.

EX:

link

link

How can I address this issue? See a form of validation, so if the id parameter is passed via direct url does not work or something, otherwise no one can pass any id and delete important data or edit.

        [HttpPost]
    public ActionResult Edit(Pessoa model)
    {
        if (ModelState.IsValid)
        {
            Pessoa p = new Pessoa();
            p.Salvar(model);

            return View("List", p.Listar());
        }
        else
            return View("Create", model);
    }

    public ActionResult Delete(int id)
    {
        Pessoa p = new Pessoa();
        p.Deletar(id);

        return View("List", p.Listar());
    }
    
asked by anonymous 01.10.2017 / 12:32

2 answers

0

This is because you are working with the GET method.

The GET method: With a capacity of 1024 characters, this method is used when you want to pass little or small information to perform a search or simply pass information to another page through the URL, it is important to note that the information passed will be visible in the URL, which makes it this unfeasible method for working with sensitive information.

POST methods: This method uses the Uniform Resource Identifier (URI) to send information to the server. The URI is not returned to the client, which makes the method more secure to work with sensitive information because it does not expose the data sent in the browser. It is important to note that this method has no capacity limit for sending information. POST uses a parallel connection to route the data.

An example to mark an action as post

 [HttpPost]
        public ActionResult Index()
        {
            Seu código --- Código
            return View();
        }

In the View you will need to provide some way for the Action to be called, Link, Button etc.

1-Note: When you do not force an action to be accessed in a certain way, you can access it either by the URL (GET) or by a POST request.

2-Note: Ideally, you have some user control, for example as a login to verify that the user who is logged in is allowed to perform a certain action.

    
01.10.2017 / 14:43
0

I advise you not to waste time trying to make the security of your application trying to change the route or something, thinking of simplistic security, you can use Filter of ASP.NET :

Structure

  • Controller Login

    Here you will get the user logged in using: HttpContext.Session.Add("Nome", "NomeUsuarioLogado"); when the user logs on to the system. obs: you will have to create a user table.

  • Creating Filter

    Create a folder called filter, and create a class called LoginFilter:

    public class LoginFilter : ActionFilterAttribute
    {
        public override void OnActionExecuting(ActionExecutingContext filterContext)
        {
            object usuarioLogado = filterContext.HttpContext.Session["Nome"];
    
            if (usuarioLogado == null)
            {
                filterContext.Result = new RedirectToRouteResult(
                    new RouteValueDictionary(
                        new { action = "Index", controller = "Login" }));
            }
        }
    }
    

    This class will be responsible for checking whether the user is logged in or not.

  • Decorating Classes

    Now just go to your controllers and "decorate" them:

    [LoginFiltro]
    public class PessoaController : Controller { }
    

    You can decorate method by method, but in this house the ideal and decorate the whole class.

    By doing this, only people logged into the system will delete and edit the data. You can study more about the filter and create new filters by separating the system by department for example. You can think of creating a log table too, to know who has deleted something.

02.10.2017 / 14:08