ASP.NET MVC：验证编辑记录是允许的（所有权） [英] ASP.NET MVC: Verify that editing record is allowed (ownership)

问题描述

我有一个多用户ASP.NET MVC应用程序。用户不应该看或做对方的任何数据。

I have a multi-user ASP.NET MVC application. The users are not supposed to see or do anything with each other's data.

我的一个控制器动作是强制性的POST到/编辑，编辑记录（例如联系人）。现在，这里是我的问题：如果有人有什么伪造一个简单的POST到/编辑（自动模式，绑定到我的接触类），并编辑别人的信息？由于每个记录被ID标识，所有这些都必须做的是让与编号xxx假POST，然后记录＃XXX会与攻击者提供任何覆盖。如何才能停止呢？

One of my controller actions is the obligatory POST to /Edit to edit a record (e.g. a contact). Now here is my problem: What if somebody forges a simple POST to /Edit (which automatically model-binds to my contact class) and edits somebody else's information? As each record is identified by Id, all that would have to be done is make a fake POST with Id XXX and then record # XXX would be overwritten with whatever the attacker supplied. How can I stop this?

我想到的唯一的事就是从DB第一的每次的获取原始实例，检查它是否在可编辑对象的用户的范围之内的事实（那些他通常会看到编辑），且仅当校验通过继续进行的UpdateModel和提交更新的变化。

The only thing I thought of is fetching the original instance every time first from the DB, check that it is in fact within the user's scope of editable objects (the ones he'd usually see to edit) and only if that check passes to proceed with UpdateModel and committing the update changes.

有没有更好的办法？

编辑：这不是一个跨站点/ CSRF攻击。另一位登录的用户可以做到这一点。

This is not a Cross Site/CSRF attack. Another logged in user can do this.

推荐答案

授权视图/页，并授权特定对象实际上有两个不同的概念。最好的办法是结合使用一个授权属性与ASP.NET角色系统授予或拒绝访问特定网页的问题。一旦你验证了用户有权访问该页面，那么你可以验证他是否有他请求对他请求该对象的权限。我用这个方法在我的应用程序，它的伟大工程。首先使用授权过滤器，它显著因为实际的对象权限检查是更重的操作提高性能。

Authorization for the view/page and authorization for the particular object are really two separate concepts. The best approach is problem to use an Authorize attribute in conjunction with the ASP.NET roles system to either grant or deny access to a given page. Once you have verified that the user has access to the page, then you can verify whether he has the permission he is requesting for the object on which he is requesting it. I use this approach in my application, and it works great. By using the Authorize filter first, it significantly improves performance since the actual object permission checking is a much heavier operation.

另外，我用的是自家酿制的规则体系，以实际设置和确定用户是否有权访问该对象。例如，在我的系统，管理员可以完全访问每个对象。 （这是一个规则。）谁创建的对象的用户具有完全访问对象（也按规则规定的）。此外，用户的经理可以完全访问的每一件事他的员工有机会获得（再由规则规定的。）然后，我的应用程序评估对象，以确定任何规则 - 首先是唯恐复杂的规则，然后再移动到最后的更复杂的规则。如果有任何的规则是肯定的，我停止规则评价和退出功能。

Also, I use a home brewed rules system to actually set and determine whether the user has access to the object. For example, in my system, administrators have full access to every object. (That's a rule.) The user who creates the objects has full access to the object (also specified by a rule). Additionally, a user's manager has full access to every thing his employees have access to (again specified by a rule.) My application then evaluates the object to see if any of the rules apply--starting with the lest complex rules first and then moving on to the more complex rules last. If any rule is positive, I discontinue rule evaluation and exit the function.

这篇关于ASP.NET MVC：验证编辑记录是允许的（所有权）的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！