MVC 自定义授权属性

Question

I have a method as below

[Authorize]
        public async Task<IActionResult> Edit(int? id)
        {
            if (id == null) return NotFound();

            //EF bug workaround
            var activities =  (await _context.Activities.AsNoTracking().ProjectTo<ProgramActivityViewModel>()
                .Where(m => m.Id == id).ToListAsync()).SingleOrDefault();

            if (activities == null) return NotFound();

            if (activities.ActivityCoverageArea.Any())
                activities.PhysicalLocation = activities.ActivityPhysicalLocation != null;

            PopulateActivitiesModel(activities);           

            return View(activities);
        }

when user hits this method in browser URL he see this link.

http://localhost:52580/Activity/Activity/Edit/117

my issue if user manually enters id 125 instead of 117 in browser, he can see data that is not related to him. i mean he can see his peer's data who is at same level , might be reporting to different manager. how can I restrict user from doing this??

the Id being passed is Activity id not UserId, a user can have multiple activityId's. issue is , she should not see activity of other users.

Answer 1

You need to get the userId of the current logged in user and test that against your data. If the data does not belong to the current user then you just need to return a 403 or custom error page.

If you are using the newer built in MVC authentication system then it should be as simple as: User.Identity.GetUserId();

If you have this kind of issue all throughout your code then I suggest having the userId stored in a base controller or in a viewstate that you can easily access without having to hit your database with an extra request every time.