Is it possible to validate a querystring ID, for ownership, in FluentSecurity?
Question
Just discovered FluentSecurity. Looks very interesting.
My Web Application is written in MVC3, C# and Razor.
I am worried about the URLs being tampered with. So on top of checking for authenticated users, correct roles, I also need to ensure that the user is not trying to tamper with the URL to view data that he/she has no access to.
ie He/She owns #10, so
Order/10
is fine,but not:
Order/100
With the standard [Authorize] one could write a custom authorisation class that inherits from the Authorize class which thens check the ID which is okish... and works.So if ID is owned by user then return true. How would this be implemented in the FluentSecurity environment?
Many thanks.
1 answers
solution1
1 ACCPTED 2014-04-21 19:14:02
I can't tell you how to implement it but I can point you in the right direction. What you need is a custom policy. You can then set up a security context modifyer to provide you with the querystring/route data you need.
Custom policies are covered here: https://github.com/kristofferahl/FluentSecurity/wiki/Custom-policies
Security contexts are covered here: https://github.com/kristofferahl/FluentSecurity/wiki/SecurityContext
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.