2

In my application users are able to transfer points between them. In my view, I check if user can transfer points from his account, if he can, I render something that allows him to do that. I would not like to check that again in my controller, so I need some mechanism, that will allow me to check if user that I rendered a viewpage for, is the same as the one that is sending a request to my controller.

So basically, I would like to check in my controller, if currently logged user is the same as the one that sent the request - and to do this, I think that I need something that works similar to ViewBag, but not from the controller to a view, but from view to a controller. Is that possible?

Brian Tompsett - 汤莱恩
  • 5,753
  • 72
  • 57
  • 129
ojek
  • 9,680
  • 21
  • 71
  • 110

1 Answers1

2

A proper way to do this will not be the transfer of such information between user requests. Every request shall be stateless but you trying to embed a state. This is a fair way to shoot yourself in a foot.

If your action requires authentication (you are who you say you are) you should do it using standard classic ASP net way. This will embed a standard authentication token to any further user requests. This way you will know that the user is authenticated or not.

For some actions that require authorisation (user has permissions to perform an action) you must validate that a user has the power to perform such action. This must be done for every request and it is usually a fast operation. No need to optimise things here by reducing your security barrier.

If you search for authentication and authorisation with classic asp, you will get a more fine grained answer on how to do the coding bit.

I wouldn't recommend, but you can still embed hidden information with

<input type="hidden" value="..."/>
oleksii
  • 35,458
  • 16
  • 93
  • 163
  • Okay, so here are some details: in my view, i check database, if user got points and is able to transfer those points, then i render him a proper form. What you tell, is, that i would need to do this second time in a controller after this form is sent. So, i will do a double database check, isn't that incorrect? – ojek Aug 19 '12 at 17:56
  • I am not sure why the View is doing *any* check. It is ideally should be as dumb as possible and only contain UI display logic. Deciding whether a user has enough points shall be done in Controller (or some people prefer Model). Is this all happening during a single request? – oleksii Aug 19 '12 at 18:05
  • Even more details: i do have DisplayThread() controller, where i obtain thread, and associated information about it. I pass it into view as a model, in this view i check it and render a view. If someone decides to reward a post, then in Reward() controller i will need to get almost the same information as i got in DisplayThread() controller. I am not sure about this, i think that if i would somehow pass just a single username from a view to Reward() controller, i would not need to get that db once again. – ojek Aug 19 '12 at 18:07
  • Oh I see. There should be a shortcut for the Reward, so it won't hit the database providing the user is authenticated. Maybe see [this](http://stackoverflow.com/a/263853/706456) answer and similar in the thread. I am not sure what's possible in classic asp, hopefully someone with better understanding than me can help you out. – oleksii Aug 19 '12 at 18:33