问题描述
我有不同的用户在我的数据库中创建的职位的集合。
I have a collection of posts created by separate users in my database.
- 每个用户都可以创建帖子和编辑他们的职位。
-
要编辑自己的帖子,用户导航到一个页面的帖子/ EditPost?=帖子ID X,其中x是后ID。
- Each user can create posts and edit only their posts.
To edit their post, users navigate to a page "Posts/EditPost?PostID=x" where x is the post ID.
在帖子控制器具有[授权]'属性和行动检查的GET部分,看是否职位是由用户。
The "Posts" controller has an '[Authorize]' attribute and the GET part of the action checks to see if the post was made by the user.
如果用户确实做了后,它呈现的看法。在视图中没有与帖子ID。
If the user did indeed make the post, it renders the view. In the view there is a hidden field with the "PostID".
当用户提交表单,动作的POST部分,如果通过帖子ID登录用户的电流而产生的职位相匹配重新检查。
When the user submits the form, the POST part of the action rechecks if the PostID matches a post created by the current logged in User.
有没有更好的方式来做到这一点,而不必仔细检查用户是否有访问编辑的帖子,或者这是最好的方法是什么?
Is there a better way to accomplish this without having to double check if the user has access to edit the post, or is this the best way?
推荐答案
这实际上听起来pretty对我好。如果你不想检查用户两次,我可以建议的唯一事情是将使用类似的<一个href=\"http://blog.$c$cville.net/2008/09/01/$p$pvent-cross-site-request-forgery-csrf-using-aspnet-mvcs-antiforgerytoken-helper/\"相对=你的观点呈现nofollow的>防伪标记。因为你只有在如果你被允许编辑的帖子的观点,在这一点上我想你需要做的是检查,看看如果POST从您的网站来了。
That actually sounds pretty good to me. The only thing I could suggest if you didn't want to check the user twice would be to use something like an anti-forgery token that you render with the view. Since you only get to the view on if you are allowed to edit the post, at this point I would think all you need to do is check to see if the POST came from your site.
这篇关于ASP.NET MVC检查用户可以执行的操作的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!