How to ensure that all WebAPI/OData requests pertain to a specific user?

Question

I found this process simpler when consuming a WCF service (SOAP), but here goes...

Where Users 1..* Categories:

In exposing an OData RESTful service (MVC4, WebAPI, OData), client-side code could be issued like:

/odata/Categories?$filter=startswith(CategoryName,'paid')

Or even

/odata/Categories

Would return all categories for all users. Not very secure.

I want to ensure that all requests issued when a user is logged in (I'm using forms authentication with my own custom role provider) only return data related to that user (where userID=x). Is there a custom filter that needs to be created, whereby even if a logged in user saw the outgoing WebAPI/OData request paths (often defined in JavaScript), they can't try to get other user's information?

Each navigation property or related table in the db has a UserID field where the "AND UserID=x" could be used.

Would this involve creating some sort of FilterQueryValidator (actually query addition) similar to what's found at the bottom of this page?

I'm just not sure on how this works, and would like some pointers.

FYI: This may be related to this other question, but more specific on user-based requests.

eoghank · Answer 1 · 2013-12-03T14:44:04.297

1

You can use a filter attribute or you can override GET / POST etc in your ODataContoller to add the UserID == X to the Linq expression.

e.g.

public override IQueryable<Product> Get()
{
   return _context.Products.Where(x => x.UserID == user_id);
}

edited Dec 03 '13 at 14:44

answered Dec 03 '13 at 10:17

eoghank

1,013
7
10

can you please provide a sample of each proposed answer? – ElHaix Dec 03 '13 at 13:57

How to ensure that all WebAPI/OData requests pertain to a specific user?

1 Answers1