How to secure are MVC RESTful Urls from Hacking?

This is what I did for exactly the same situation, first I declared an extension to the object.

This is what I did for exactly the same situation, first I declared an extension to the object: public static bool Editable(this EXPENSE_OBJ e) { if (e! = null) { UserRepository your = new UserRepository(); if (ur.CurrentUser(). UserId == e.

UserId) //Check if the user owns the claim { return true; //User owns the claim } else { return false; //User does not own the claim } } } And then in the controller: public ActionResult Details(id) { var item = repo. GetItem(id); if(!item.Editable()) { return View("InvalidURL"); } ... }.

Lets say the Employee belongs to a Company and to retrieve the Company details I call /Company/Details/101 i.e. Again it's a RESTful Url for the Company Details. In this instance I guess I would also need to pass in the UserId and check if the User belongs to the Company he is retrieving at the database level?

– Click Ahead Jun 15 at 17:01 +1 this is broadly similar to the approach that I take. My checking object is extended a little in that it allows admin role users to also view/modify the 'user' object – jim Jun 15 at 17:29 Exactly, though personally I have implemented a ur.CurrentUser() so I never have to pass through the userid. – Chris Jun 16 at 8:35.

You will want to utilize the ASP. NET Roles and Membership API. If you are already doing that then all you need to do to start is mark controller with a IsUserInRole check.

You can find more information about the Roles Class here: MSDN Roles Class.

I've already implemented my own Membership & Roles API and this works fine i.e. My app. Is Authenticated and then he is Authorised to access the Action.

But, the User then uses the Action to retrieve a different set of data from the database. I need to secure access to only his data. Does that make sense?

– Click Ahead Jun 15 at 16:56.

I use a many-to-many table that holds a relationship between the user and the ID of the entities they are allowed to modify. Every time anyone attempts to change one of those entities, I do a check to make sure that they are allowed to do it. I also put a trigger on the table that holds the entities that will delete associated records in that many-to-many table whenever an entity is deleted.

This has worked out quite well for me. Another thing you could do is use a Guid instead of an int for your primary key. That will prevent people from guessing the primary key.

I cant really gove you an answer,but what I can give you is a way to a solution, that is you have to find the anglde that you relate to or peaks your interest. A good paper is one that people get drawn into because it reaches them ln some way.As for me WW11 to me, I think of the holocaust and the effect it had on the survivors, their families and those who stood by and did nothing until it was too late.