Last post Jul 15, 2016 05:22 AM by Nan Yu
Jul 13, 2016 02:36 PM|Velict|LINK
I am building a user driven site in Mvc with asp.net identity 2.
All entities that a user can edit on the website is checked up on, by getting the current userid serverside.
Userid is not exposed in queries when editing userrelated content.
Its mainly used for showing profile, and used in folderstructure for uploaded content.
I was wondering if it is considered bad practice to expose userid's in urls and paths to user uploaded content?
The userid in Identity consists of a Guid.
Thank you! :)
Jul 13, 2016 03:57 PM|PatriceSc|LINK
I'm not sure why you need to show them as part of the url but at least it should be used to tell what the user wants to see, not who is the logged in user and even less as a "proof" he have access to that. So :
- if a user will only edit its own stuff the url could be just myfiles/ThisFile.txt. Showing the actual path is not needed and you'll deal with that server side
- if a user could access data from another user it could be <guid>/ThisFile.txt for example BUT :
- it tells which other user data is accessed
- it doesn't tell who his the current user or if the user has access just because he can use the link i.e. you still have to check that this guid is either the one for the current user (ie the user can get its own stuff) or that the current user has been
granted access to this content
Not directly related but it is quite frequent to see someone encrypting an id so for thisrow.aspx?id=4, a user couldn't change 4 to 5. IMO this is a bad way or at least not the first action that should be done. The point is not to make the value hard to
change or guess (and if the encyption is not done properly it could be less hard than thought), the point is that EVEN if you can change 4 to 5, then the page should check that the current user is allowed to access to row 5 before showing the data.
Jul 13, 2016 05:04 PM|Velict|LINK
Im not sure i understand you :) - The idea behind all this was to make a folderstucture on the server to store public content of a user.
As an example when a user visits a profile. The profilepicture is stored in following folder /uploads/useridofvisiteduser/profilepictures/guid.ext.
My question is if its okay to store content in that way. Because the link to in this case, the profile picture, would contain the userid of the visited user.
Jul 13, 2016 07:38 PM|Velict|LINK
Another example could be sending a message to a user and having the userId to the specefied user in the form post
Jul 15, 2016 05:22 AM|Nan Yu|LINK
Whether the login user could only see the profile picture of another user's ? If yes , by server side , you should confirm the role of the user has the permission to access other users' resource . If the user has permission , you could access the profile
picture on the server side (use user id as identifier) ,then show the image on client side .