static method membership data leak

Question

I would like to grab results from a database, using Entity Framework, and filter those results based on whether an asp.net user is an admin, using a static method.

Given this code, could there be instances where a non-admin user will be served admin results?

If so how would I achieve my desired result using a static method?

public class Listings
{
    public static List<Listing> GetListings()
    {
        bool isAdmin = User.IsInRole("admin");

        List<Listing> listings;

        using(DBContext dbContext = new DBContext())
        {
            listings = (from l in dbContext.Listings
                        where l.Public || isAdmin
                        select l).ToList();
        }

        return listings
    }
}

Static methods don't hurt, static fields can (since ASP.NET is multi-threaded). — Tim Schmelter, Dec 14 '13 at 19:11

score 1 · Accepted Answer · edited May 23 '17 at 12:11

1

This depends on where you get the DbContext from. Its instance methods are not thread safe.

If it is created in a ASP.NET request scope (you have a new instance in each of independent requests) then you are safe, the code is correct.

If it is shared then anything can happen, most probably you would get exceptions from concurrent access to the same db context.

Learn more from similar threads

One DbContext per web request... why?

edited May 23 '17 at 12:11

Community

1
1

answered Dec 14 '13 at 19:42

Wiktor Zychla

47,367
6
74
106

Thank you for your answer. Currently each user is getting their own DBContext and I have edited my question to reflect that. – user3102896 Dec 14 '13 at 19:51

static method membership data leak

1 Answers1