0

Just discovered FluentSecurity. Looks very interesting.

My Web Application is written in MVC3, C# and Razor.

I am worried about the URLs being tampered with. So on top of checking for authenticated users, correct roles, I also need to ensure that the user is not trying to tamper with the URL to view data that he/she has no access to.

ie He/She owns #10, so

Order/10

is fine,but not:

Order/100

With the standard [Authorize] one could write a custom authorisation class that inherits from the Authorize class which thens check the ID which is okish... and works.So if ID is owned by user then return true. How would this be implemented in the FluentSecurity environment?

Many thanks.

4

1 回答 1

1

I can't tell you how to implement it but I can point you in the right direction. What you need is a custom policy. You can then set up a security context modifyer to provide you with the querystring/route data you need.

Custom policies are covered here: https://github.com/kristofferahl/FluentSecurity/wiki/Custom-policies

Security contexts are covered here: https://github.com/kristofferahl/FluentSecurity/wiki/SecurityContext

于 2014-04-21T19:14:02.270 回答