3

I have list of posts that any user can edit.
When I enter edit mode of the post in a hidden field I store PostId.
Now I see that this is actually bad because user can change that hidden field and update some other post.

Is the session the only alternative to keep id of post that user edit, or there is some better tactic?

Because my is really bad :(

1110
  • 7,829
  • 55
  • 176
  • 334

3 Answers3

5

There's a better tactic:

Before updating the record check if the record that the user is trying to update belongs to the currently authenticated user.

You could write a custom authorize attribute that does this task for you. Here's an example.

Community
  • 1
  • 1
Darin Dimitrov
  • 1,023,142
  • 271
  • 3,287
  • 2,928
0

Try to just put the post ID as a hidden, not more fields. Then, in the controller get the original post from databse using that id.

Then you have to check:

  • If the id indeed pulls something from database (in case the post is already deleted or the user changed the id in your hidden).
  • If the post to be edited is from that user/tenant (if it is from that user, and he changed the id in your hidden pointing to other post of his own, it is his responsibility).
  • Add any other checks that you need in your logic (check if the user has permission to do that, or check dates, etc.)
  • You can just update the fields that you allow edit in the post object from database, and save it (assuming you are receiving a PostViewModel in your action and not the Post Model itself.

This approach can be used in DELETE cases also, checking if it is OK to delete that item given an id.

Romias
  • 13,783
  • 7
  • 56
  • 85
0

Keep it in a asp Hidden field and set the Visible property to false. This will let you access the value making control invisible on the page even in its rendered html tags