2

Our company is currently remaking our software from web forms to MVC and it is currently in alpha stage before we release it to our clients. In a nutshell, the app have multiple hotels subscribing and using our service. The core security I now need to ensure is that no user should be able to access/modify data belonging to another hotel.

Our models mostly follow either one of the two examples below:

RoomCategory   (structure: model.HotelID)
--------------
ID
HotelID

Room    (structure: model.Parent.HotelID)
--------------
ID
RoomCategoryID
HotelID

The problem is that when I am on ~/rooms/edit/1, I can change the form action URL and the hidden field value from '1' to '50' and room ID 50 belongs to another hotel. This is a big problem since one user can actually 'steal' a room from another hotel and make it their own! Our clients will not be very happy.

The way I'm approaching the problem...

From the currently logged-in user data (accessed from session), we know the Hotel (or Hotels) the user has the rights to manage. One way is to authenticate each action call and do something like this:

app.AuthenticateAccess(room.RoomCategory.HotelID);

This way, the AuthenticateAccess function will prevent further operation and 'redirect' to an Unauthorized/NotFound page since it knows that Room ID 50 belongs to HotelID 2 while the current user doesn't have access to it. Sure I think this is a safe way, but this involves a lot of duplicate function calls across all actions in each controller.

I have been looking into different possibilities to overcome this security challenge at a global level:

  1. Easiest. Encrypt all IDs and hidden fields value though I personally think that even without encryption, the system should be able to authenticate the access each user has.
  2. Set HotelID in a separate abstract class and let each model (which stores data about one particular hotel) inherits from this abstract class. Perhaps some kind of generics can be done here?
  3. We use repository/unit of work pattern. Is there some way to limit the data which we can retrieve/update to that of the currently selected Hotel ID only?
  4. [Your awesome solution goes here.]

I have some other solutions in mind like using System.Reflection to search for all HotelID attributes and ensuring all the data saved/created is allowed for the current user to make. But anyway let me hear your approach to solve this issue since I am not convinced yet with any solution that I can think of.

Erik Funkenbusch
  • 92,674
  • 28
  • 195
  • 291
kent-id
  • 717
  • 10
  • 25

2 Answers2

1

Never trust the data coming from client. Always validate the posted data before doing any updates/transaction on your database.

So in your HttpPost action method, You run a sanitization check before proceeding

[HttpPost]
public ActionResult Book(BookingViewModel model)
{
  var isGood = hotelService.DoesCurrentUserHasAccessToRoom(model.RoomId);
  if(isGood)
  {
     //Continue with Saving
     hotelService.BookRoom(model);
     return RedirectToAction("BookingCompleted");
  }
  return View("NotAuthorized");
}

There won't be duplicate code as long as you put them into small reusable methods in your service as needed.

Shyju
  • 214,206
  • 104
  • 411
  • 497
  • I think the solution you posted (passing model.HotelID is great). But again, this involves handling the situation at each action (local). Let's say our app has around 80-100 POST actions from all the controllers including AJAX-only actions. I am just wondering whether it's possible to do this via an Authorize Filter or maybe by overriding the ModelBinder and do a sanitizing check? – kent-id Nov 17 '15 at 20:52
1

Other option would be to add HMAC field to check sensitive data (hidden id field) has not been changed, I use it once and never use it again, overkill solution.

That being said...

I have run into the same issue multiple times, and I thought almost the same options, in the long run I stick with simplest solution the GetById repository method passing the CurrentUserId, something like:

Entity GetById(int id, int? userId);

Why?

You are asking a granular level of authorization, which can be obtained only when you know the exact record involved in the operation, so why not check for that in the method responsible for obtaining the record in the first place?

If the record exist and the user created that record then return the record, else return null as the object does not exist for that user, don't even bother returning a "You don't own that object" type of message just a plain and simple 404 "the record does not exist".

If you want you can try this same approach but with ActionFilters, something similar to this. But you must figure out how to retrieve the record in that filtercontext.

For admins with full access you can just bypass that check if you pass null to that method.

Community
  • 1
  • 1
JOBG
  • 4,544
  • 4
  • 26
  • 47
  • This sounds like a possibility. In fact, we have been doing a similar thing for inserting detailed transaction logs by doing it at UnitOfWork level. I will discuss the possibility to implement this approach with my team members in the office tomorrow and I'll update you. Thank you! :) – kent-id Nov 17 '15 at 22:15
  • Hi @jobg! Sorry for not getting back to you sooner. I have adjusted your solution to my requirements and it works great. What I did was to simply allow changing the hidden field values since we have records of all the user's access. If he doesn't have access to that particular row, then it will not commit the transaction and though possible, we didn't bother showing an unauthorized page as you suggested. This is a bottom line security after all. We have Authorize attribute to show unauthorized page for users not having access to a particular page/feature. Summing up, thanks a lot!! :) – kent-id Nov 21 '15 at 13:20