Check if logged in user, is same as logged in
Question
I'm developing a forum and trying to create a "edit page" , but I do only want to be able that the user that created the post can see the "edit control" and be the only user who can be able to edit his page. How should i do that?
This is how far i am right now:
@if (WHAT TO TYPE HERE)
{
@Html.ActionLink("Edit", "Edit", "Threads", new { @id = Model.Id }, null)
}
ANSWERE ADDED IN COMMENT
3 answers
solution1
4 2015-12-18 08:40:20
You need to compare the current user to the original author of the post. I suppose you have a database?
Let's say you have a model for a forum thread / post:
public class ForumPost
{
public int Id { get; set; }
public string Author { get; set; }
// [...] Additional fields.
}
The Author field should for example contain the username of the one that created the post. When viewing a post you should:
- Retrieve this from your repository
- Compare the current user
HttpContext.Current.User.Identity.Nameto the author of the postModel.Author
If you want to do this in your view, you can do it like this:
@if (HttpContext.Current.User.Identity.Name.Equals(Model.Author))
{
@Html.ActionLink("Edit", "Edit", "Threads", new { @id = Model.Id }, null)
}
I don't have a compiler with me, but this code should work.
I would however not recommend doing this directly in the view. You should create a view model which contains all the necessary fields to satisfy your view.
solution2
0 2015-12-18 09:15:01
If not already done somewhere else, first check whether the user is authenticated, then consider what kind of authentication your are using (you should give more details in your question). For example, if you use windows authentication the property "User.Identity.Name" contains also the domain
if (HttpContext.Current.User.Identity.IsAuthenticated && HttpContext.Current.User.Identity.Name.Equals(Model.Author))
Doing this check in the view is perfectly fine as far as you have in mind this has purely a UX function: the role of this switch should only be to make visible a button, you should not give any security concern to it.
The security of "is the user allowed to edit the post" has always to be checked backend in the edit controller action, where you'll have to do this check again. Always check who is able to do an action at the beginning of the Get method for that action.
solution3
0 ACCPTED 2015-12-18 10:18:27
Allright thanks for your answeres but i found a other way, the way i did was
Controler:
public ActionResult Edit(int? id)
{
if (id == null)
{
return new HttpStatusCodeResult(HttpStatusCode.BadRequest);
}
Thread thread = db.Threads.Find(id);
string userId = User.Identity.GetUserId();
if (thread == null || thread.ApplicationUserId != userId)
{
return HttpNotFound();
}
ViewBag.CategoryId = new SelectList(db.Categorys, "Id", "Title", thread.CategoryId);
return View(thread);
}
[HttpPost]
[ValidateInput(false)]
[ValidateAntiForgeryToken]
public ActionResult Edit([Bind(Include = "Id,Title,Content,CategoryId")] Thread thread)
{
if (ModelState.IsValid)
{
Thread t = db.Threads.Include(m => m.ApplicationUser).FirstOrDefault(m => m.Id == thread.Id);
t.Content = thread.Content;
t.Title = thread.Title;
db.Entry(t).State = EntityState.Modified;
db.SaveChanges();
return RedirectToAction("Post", "Threads", new { @id = thread.Id });
}
return View(thread);
}
View:
@if (Model.ApplicationUserId == User.Identity.GetUserId())
{
@Html.ActionLink("Edit", "Edit", "Threads", new { @id = Model.Id }, null)
}
That worked :)
Thanks for all your answeres
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.