1

We are considering the Hot Towel SPA template for an ASP.NET MVC a new project, but are not sure how to filter & secure user specific data. Our project would be ASP.NET MVC based with EntityFramework.

Consider a service that allows people to store sales information for different companies, each with one or more locations.

  • When a store manager logs in, he should only see his store's sales.
  • When a regional manager logs in, he should only see the stores in his region.
  • When the CEO logs in, he should be able to see all of the stores.

This business logic could be handled within the Javascript on client side, but it would seem that it would be easy to bypass with browser developer tools, Fiddler or the like. By manipulating HTTP request strings (since it's OData based), they could see data for other stores in their company, and potentially stores for other companies.

It would be nice to say on the client-side:

var query1a = EntityQuery.from("Customers") .where("CompanyName", "startsWith", "A");

and it return results only for the current user, and not for the entire db.

Any suggestions/examples/tutorials on how to accomplish this on the server?

Would it make sense to store this "filter" logic in session variables? So for the query above:

(something to the effect of)

[HttpGet] public IQueryable<Customer> Customers() { return _contextProvider.Context.Customers.Where(x=> x.CompanyID == Session['CompanyID']; }

Carol AndorMarten Liebster
  • 879
  • 6
  • 26
  • possible duplicate of [How is breeze.js handling security and avoiding exposing business logic](http://stackoverflow.com/questions/13662496/how-is-breeze-js-handling-security-and-avoiding-exposing-business-logic) – PW Kad Oct 28 '13 at 02:46
  • In that possible duplicate, @Ward said `I'd be happy to try to answer a more specific "how to" question.` I tried to phrase my question as "how to" question on the topic. Since one typically creates a Breeze specific controller, I was looking for Breeze specific guidance in this area. – Carol AndorMarten Liebster Oct 28 '13 at 21:43

1 Answers1

1

You can do exactly what you ask by writing your server-side query methods such that they add restricting where clauses to achieve the user-based filtering effect that you require.

You'd also want to impose the same restrictions on saves. You can't trust the client. For example you don't want the store manager to be able to save sales for a different store.

There could be a lot of business logic involved. I wouldn't put any of it in the Web API controller. I like my controllers to stay focused on mediating between web requests and server-side business logic. I like that logic encapsulated in some other class or classes.

These safety measures begin with the presumption that you have an authentication/authorizations scheme in place and that the user ... and his/her permissions ... are known at the time the request is processed. You should be able to pass that security information around.

On the query-side, you could have one or more repositories that set minimum filters on queries. You have the right idea in the query you composed for your question. The details are business specific. I'd just move it out of the controller and into one or more supporting repository class(es).

You do something similar when users save. In your BeforeSaveEntities method you'd examine every entity-to-be-saved and make sure the user was authorized to make that change.

This is not trivial logic. The Breeeze hooks are there to apply that business logic when you figure it out.

Ward
  • 17,793
  • 4
  • 37
  • 53