检查登录用户是否与登录用户相同

Question

I'm developing a forum and trying to create a "edit page" , but I do only want to be able that the user that created the post can see the "edit control" and be the only user who can be able to edit his page. How should i do that?

This is how far i am right now:

@if (WHAT TO TYPE HERE)
{
    @Html.ActionLink("Edit", "Edit", "Threads", new { @id = Model.Id }, null)
}

ANSWERE ADDED IN COMMENT

Answer 1

You need to compare the current user to the original author of the post. I suppose you have a database?

Let's say you have a model for a forum thread / post:

public class ForumPost
{
    public int Id { get; set; }
    public string Author { get; set; }
    // [...] Additional fields.
}

The Author field should for example contain the username of the one that created the post. When viewing a post you should:

1. Retrieve this from your repository
2. Compare the current user HttpContext.Current.User.Identity.Name to the author of the post Model.Author

If you want to do this in your view, you can do it like this:

@if (HttpContext.Current.User.Identity.Name.Equals(Model.Author))
{
    @Html.ActionLink("Edit", "Edit", "Threads", new { @id = Model.Id }, null)
}

I don't have a compiler with me, but this code should work.

I would however not recommend doing this directly in the view. You should create a view model which contains all the necessary fields to satisfy your view.

Answer 2

If not already done somewhere else, first check whether the user is authenticated, then consider what kind of authentication your are using (you should give more details in your question). For example, if you use windows authentication the property "User.Identity.Name" contains also the domain

if (HttpContext.Current.User.Identity.IsAuthenticated && HttpContext.Current.User.Identity.Name.Equals(Model.Author))

Doing this check in the view is perfectly fine as far as you have in mind this has purely a UX function: the role of this switch should only be to make visible a button, you should not give any security concern to it.

The security of "is the user allowed to edit the post" has always to be checked backend in the edit controller action, where you'll have to do this check again. Always check who is able to do an action at the beginning of the Get method for that action.

Answer 3

Allright thanks for your answeres but i found a other way, the way i did was

Controler:

    public ActionResult Edit(int? id)
        {
            if (id == null)
            {
                return new HttpStatusCodeResult(HttpStatusCode.BadRequest);
            }
            Thread thread = db.Threads.Find(id);
            string userId = User.Identity.GetUserId();
            if (thread == null || thread.ApplicationUserId != userId)
            {
                return HttpNotFound();
            }
            ViewBag.CategoryId = new SelectList(db.Categorys, "Id", "Title", thread.CategoryId);
            return View(thread);
        }
        [HttpPost]
        [ValidateInput(false)]
        [ValidateAntiForgeryToken]
        public ActionResult Edit([Bind(Include = "Id,Title,Content,CategoryId")] Thread thread)
        {
            if (ModelState.IsValid)
            {
                Thread t = db.Threads.Include(m => m.ApplicationUser).FirstOrDefault(m => m.Id == thread.Id);
                t.Content = thread.Content;
                t.Title = thread.Title;
                db.Entry(t).State = EntityState.Modified;
                db.SaveChanges();
                return RedirectToAction("Post", "Threads", new { @id = thread.Id });
            }
            return View(thread);
        }

View:

@if (Model.ApplicationUserId == User.Identity.GetUserId())
        {
            @Html.ActionLink("Edit", "Edit", "Threads", new { @id = Model.Id }, null)
        }

That worked :)

Thanks for all your answeres