This is going to sound like a stupid question, but I just wonder if I'm missing a trick anywhere.
Scenario is, I have a web application using Simple Memebership, where users can register to use it (invoice program for example).
However, they should only be able to view/update/remove information that they themselves add to the database/web app.
What is the best way to ensure the user only gets acces to their information?
Is it to add a Username field to every table, eg:
public class Invoice
{
public int InvoiceId { get; set; }
public int CustId { get; set; }
public string UserName { get; set; }
}
public class Item
{
public int ItemId { get; set; }
public int InvoiceId { get; set; }
public string UserName { get; set; }
}
...and then in any controller that accesses the data, simply add a check for the username within every query, eg:
var Inv = db.Invoices.Where(x => x.UserName = User.Identity.Name);
var Itm = db.Items.Where(y => y.UserName = User.Identity.Name);
That is what I'm using currently, but wondered if this is best practice? Or if there is a simpler way now we're onto MVC4?
Is it best to use UserName or UserId from the UserProfile table, or does it matter?
Update to add clarity following comments
So 10 users have registered - and all created their own invoices. I don't want any user seeing any other users invoice.
Thanks for any advice.
Mark
Things i would do are:
Avoid passing in any form of user id/credential in post/query string, hold it somewhere secure, like encrypted in a cookie, and always user this when building your queries
If you have Ids passed back to your program as part of an edit, make sure the values have not been tampered with, if you output the id in a hidden field, make sure it is the same when it comes back as it went out (direct reference attack this is called)
if your application requests an edit, such as client/edit/4, always ensure that id 4 belongs to that user before displaying it.
Some good reading here on the top 10 vulnerabilities: https://www.owasp.org/index.php/Top_10_2010-Main
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With