Last post Oct 08, 2018 08:55 AM by Mikesdotnetting
Oct 08, 2018 06:53 AM|Aloysius_mahesh|LINK
However, when i open a task and through the browser inspect, changed the ID of the task, I can see the tasks which i'm not authorized to view.
What is the best way to handle this from the server side (controller)? I would need a generic solution which I could apply across other similar modules.
Any other advise with reference would be helpful.
Oct 08, 2018 08:55 AM|Mikesdotnetting|LINK
You should perform a check when retrieving the task in your controller to make sure that the user requesting it is authenticated and has permission to see that particular task. It's impossible to provide a generic solution because the problem is very specific
to your application and is governed by your application's business rules. No one else here knows what "permission" actually means in your context. It could be governed by membership of a role, or ownership of a task, or being a member of a team that owns a
task etc, etc, etc.