如何在Asp.Net Core MVC中的隐藏表单中确保EntityId的安全性? [英] How secure the EntityId in hidden field for Editing Form in Asp.Net Core MVC?
问题描述
我想使用Entity Framework Core创建用于编辑数据库中某些Entity(例如帖子)的表单.
I'd like to create the form for editing some Entity (for example a post) in the database using the Entity Framework Core.
在从浏览器重写为另一个值之前,我想保护隐藏字段中的值PostId.我想知道在更新之前检查用户权限,但是我想创建一些加密/签名或类似的东西.
I want to protect the value PostId in the hidden field before rewriting to another value from the browser. I'm wondering about checking the user permissions before updating but I want to create some encryption/signing or something like that.
我如何加密或签名PostId,然后在控制器中解密或验证它?
How can I encrypt or sign the PostId and in the controller decrypt or validate it?
我已经创建了用于编辑帖子的示例表单,如下所示:
I've created the example form for editing the post like this:
实体-帖子:
public class Post
{
[Key]
public int PostId { get; set; }
[Required]
[StringLength(40)]
public string Title { get; set; }
}
Controller-具有Edit方法的PostsController:
Controller - PostsController with Edit method:
[HttpPost]
[ValidateAntiForgeryToken]
public async Task<IActionResult> Edit(int id, [Bind("PostId,Title")] Post post)
{
if (ModelState.IsValid)
{
//Update method
}
return View(post);
}
用于编辑的表格:
@model EFGetStarted.AspNetCore.NewDb.Models.Post
@{
ViewBag.Title = "Edit Post";
}
<h2>@ViewData["Title"]</h2>
<form asp-controller="Posts" asp-action="Edit" method="post" asp-antiforgery="true" class="form-horizontal" role="form">
<div class="form-horizontal">
<div asp-validation-summary="All" class="text-danger"></div>
<input asp-for="PostId" type="hidden" />
<div class="form-group">
<label asp-for="Title" class="col-md-2 control-label"></label>
<div class="col-md-10">
<input asp-for="Title" class="form-control" />
<span asp-validation-for="Title" class="text-danger"></span>
</div>
</div>
<div class="form-group">
<div class="col-md-offset-2 col-md-10">
<input type="submit" value="Edit" class="btn btn-default" />
</div>
</div>
</div>
</form>
推荐答案
通过加密,您没有任何实际的商业价值,如果这样做是为了防止一个用户编辑/修改他无权访问的帖子,则表示您应该遵循永不信任客户端"的原则在后端执行此操作,并始终验证服务器上的输入.
By encrypting it you don't get any real business value and if the intent is so prevent one user to edit/modify posts he has no access to, you should do it in the backend by following the "Never trust the client" principle and always validate input on the server.
最简单的方法是仅使用发布的模型中的帖子ID,并验证用户是否有权对其进行修改.为此,基于新策略的系统提供基于资源的权限有据可查,可用于验证权限.
Easiest way to do is to use only the post ID from the model posted in and validate if the user has permissions to modify it. For this the new policy based systems offers resource based permissions which are well documented and can be used to validate the permissions.
完成后,传递的值将被接管并保存更改.
Once done, passed take over the values and save the changes.
此外,您不应该在视图内部使用持久性模型,当您更改数据库布局时,它们会轻易破坏您的API或表单,并且导航属性可能会引起问题(循环引用等);尤其是稍后,当实现延迟加载时(延迟加载不会在其属性内异步发生,因此db调用将阻塞线程).
Also you shouldn't use persistence models inside the views, they easily break your API or your forms when the you change the database layout and navigation properties may cause issues (circular references etc.); especially later on, when lazy loading is implemented (lazy loading can't happen async as its inside a property, so the db call will block the thread).
这篇关于如何在Asp.Net Core MVC中的隐藏表单中确保EntityId的安全性?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
