Get Help:Ask a Question in our Forums|Report a Bug|More Help Resources
Last post Apr 25, 2012 05:35 PM by CodeHobo
Apr 25, 2012 03:00 PM|LINK
Hello, I'm using MVC3 architecture on a website, need to know how to avoid the user to manipulate the parameters of a url
This means you can not manipulate the number 25
Thanks for your help
Apr 25, 2012 03:05 PM|LINK
The user can always modify the url, that's part of the browser and as web application developers, we don't have direct access to that. What we can do however is controller what happens on the server. The way to deal with this issue is by authorizing the
user on the server. Meaning that in your action method you need to check if the user has access to the edit action method, then also check to see that the user is allowed to edit row 25. If your rules don't allow the user to edit record 25, then you would
send the user to an unauthorized page.
You have access to a users logged in name and role, use those to determine if the user has access. See this
Apr 25, 2012 03:23 PM|LINK
That's one solution that I had thought
Mvc can not control that? for example using HttpPost
Apr 25, 2012 04:04 PM|LINK
You can create an action filter similar to HttpPost and put the authorization code in there. The action filter has access to the input parameters and the users role/username. That's probably the cleanest way, but there is no built in way to do this since
it's going to be unique for every application and depends on your specific business rules.
Here's a link on creating a custom action filter
Apr 25, 2012 05:23 PM|LINK
I have decided to encrypt url parameters, but to get the encrypted string with signs "/", "+".
How I can avoid those signs.?
Apr 25, 2012 05:35 PM|LINK
You have to UrlEncode your parameters.