[英]Preventing unauthorized logged users to edit/Delete in asp.net core
I am trying to prevent unauthorized logged in users from seeing and editing other customers records but seem not working. 我试图防止未经授权的登录用户查看和编辑其他客户记录,但似乎无法正常工作。 I have asp.net core ApplicationUser tied to each category created.
我将ASP.NET核心ApplicationUser绑定到创建的每个类别。 I am trying to match the currentUser Id and the applicationUser Id that is stored in the Database.
我试图匹配currentUser ID和存储在数据库中的applicationUser ID。
So if another user should put a category id in the URL that doesn't match with the currently logged ApplicationuserID. 因此,如果另一个用户应该在与当前记录的ApplicationuserID不匹配的URL中放置类别ID。 If that didn't match then redirects to index of category.
如果不匹配,则重定向到类别索引。
I don't know what I am doing wrong. 我不知道我在做什么错。 I have tried different options and other suggestions online
我在网上尝试了其他选项和其他建议
// GET: Categories/Edit/5
public async Task<IActionResult> Edit(int? id)
{
var currentUser = await _userManager.GetUserAsync(HttpContext.User);
var Categories = _context.Categories.FirstOrDefault(m => m.ApplicationUserId == currentUser.Id);
if (id == null)
{
return NotFound();
}
if (Categories.ApplicationUserId != currentUser.Id)
{
return RedirectToAction(nameof(Index));
//return View(category);
}
else
{
var category = await _context.Categories.FindAsync(id);
if (category == null)
{
return NotFound();
}
return View(category);
}
}
The Httpedit Httpedit
[HttpPost]
[ValidateAntiForgeryToken]
public async Task<IActionResult> Edit(int id, [Bind("CategoryId,StoreId,ApplicationUserId,CategoryName,Description")] Category category)
{
var currentUser = await _userManager.GetUserAsync(HttpContext.User);
var store = _context.Stores.FirstOrDefault(m => m.ApplicationUserId == currentUser.Id);
var categories = _context.Categories.FirstOrDefault(m => m.ApplicationUserId == currentUser.Id);
if (id != category.CategoryId)
{
return NotFound();
}
if (categories.ApplicationUserId != currentUser.Id)
{
return RedirectToAction(nameof(Index));
}
else
{
if (ModelState.IsValid)
{
try
{
category.StoreId = store.Id;
category.ApplicationUserId = currentUser.Id;
_context.Update(category);
await _context.SaveChangesAsync();
}
catch (DbUpdateConcurrencyException)
{
if (!CategoryExists(category.CategoryId))
{
return NotFound();
}
else
{
throw;
}
}
return RedirectToAction(nameof(Index));
}
}
return View(category);
}
Thanks 谢谢
You just need to change the flow some (and avoid unnecessary database calls). 您只需要对流进行一些更改(并避免不必要的数据库调用)。
Warning: I edited this in place and have not tested it at all! 警告:我已对此进行了编辑,并且根本没有对其进行测试!
// GET: Categories/Edit/5
public async Task<IActionResult> Edit(int? id)
{
// Fail early here, no reason to check the DB if
// the user doesn't include the right information
if (id == null)
{
return NotFound();
}
var currentUser = await _userManager.GetUserAsync(HttpContext.User);
// First, look up the category the user is attempting to access
var category = await _context.Categories.FindAsync(id);
// Check that the category the user is accessing belongs to them
if (category.ApplicationUserId != currentUser.Id)
{
return RedirectToAction(nameof(Index));
}
return View(category);
}
You check user's first category with this: 您可以通过以下方式检查用户的第一类:
var Categories = _context
.Categories.FirstOrDefault(m => m.ApplicationUserId == currentUser.Id);
This code returns false when check like this categories.ApplicationUserId != currentUser.Id
because IDs are equal. 此类检查时,此代码返回
categories.ApplicationUserId != currentUser.Id
因为ID相等。 You should change your code like this 您应该像这样更改代码
var Categories = _context
.Categories.FirstOrDefault(m => m.CategoryId == id.Value)
After this change, categories.ApplicationUserId
can be different from currentUser.Id
这一变化后,
categories.ApplicationUserId
可以从不同的currentUser.Id
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.