Vote count:
0
Say I have a controller action like this.
[Authorize]
public ActionResult Details(int id){
return View(_playlistService.GetPlaylistDetails(id));
}
The user has to be authorized to access the action. After that he can see details for any id he sends to the server. But I don't want that since the application will be used by many customers that have data that is not sharable. To solve this each playlist has a property customerGuid by which I can tell who the owner is.
The user also has a profile where it is possible to get info about which customer/organization he belongs to:
var profile = Profile.GetProfile(User.Identity.Name);
var customerGuid = profile.CustomerGuid;
So I want to keep the controllers skinny and the service and data layers separate from the controllers.
Where would I put the code that checks that? There are also more controllers that retrieve other data, that has the same requirements. I was thinking about writing an Result filter, but am not quite sure how to approach this for different types of results.
For cases where an user requests data that is not his I would like to return a 404 error.
Result filter to block data based on user profile
Aucun commentaire:
Enregistrer un commentaire