Example:
I have an Albums table filled with cd albums and I want to change album number 5 . An album model gets passed to the detail view of AlbumsController.
In the view I can then edit the album fields and submit the changes to album number 5.
If I change the hidden ID value of album number 5 into ID 27 album number 27 will get the values of album number 5
Is there a MVC ASP.Net build in way to prevent changing of keys ? Am I missing something ?
One way to solve this problem is to compute the hash of Album number and set it in the hidden field. The reason to use hash is that it is hard for the user to guess what value is it.
At the same time, hold the computed hash on the server Session. So next time when user posts data, you can check the posted hash with Session hash, and if there are one and same, then update the album object. If hashes doesn't match, then throw the error to user saying that data got tampered.
EDIT
To check user permissions on a given object, first get HttpContext.User.Identity which will give you the information about logged-in user into application. Using this information cross check if the same user got enough permissions on the object (say for example album 123) to perform update/delete operations.
You should be storing somewhere in your database the proper mappings between albums and users for allowed permissions. An index table where AlbumId and UserId should be stored.
Assuming you give the user a list of albums to change and permission to change them, then 'change album 5 to X' and 'change album 27 to X' are both valid commands they are going to be able to construct from the information you give them.
I Assume what you mean is,
how can I prevent a user modifying albums they have no permission to
modify by injecting a different id variable.
Once you phrase it like that the answer is obvious. When you receive the change request on the server, check the users permission to change the particular album before you do it!!
Also, using a GUID instead of an int Id, will make you life much easier
Related
Scenario:
(with an ASP.NET web app - Core or MVC)
I have a database with Users and Items for each user.
That means the UserId is a foreign key in the Items table.
From the browser I login as a User. I get my Items as a list of ItemViewModels, which are mapped (AutoMapper) to ItemViewModels via a simple api GET request.
I want to update one of the items (which should belong to me - the logged in user) via a simple API call. So I send the modified item back to the server via a PUT request as an ItemViewModel.
First approach:
The simplest approach would be to include the Item's database ID, ItemId, in the ItemViewModel - so when I receive the item to be updated as an ItemViewModel, I can map it back to the existing item in the database.
This however sounds pretty unsafe to me, as anyone could modify the PUT request with any ItemId and affect items which don't belong to the user who executed the request. Is there anything I'm missing about this approach?
Second approach:
Don't pass the database PK ItemId in the ItemViewModel.
Instead use an additional form of identification: let's say that user X has 10 items. And they are numbered from 1 to 10 using a property named UserItemId(which also exists in the database).
I can then pass this UserItemId in the ItemViewModel and when I get it back I can map it to an existing Item in the database (if all was ok with the request) or discard it and reject the request if the UserItemId didn't match anything from the logged in user's items.
Is anyone using this approach?
Pros:
The user only has access to it's own items and can't affect anyone else's since it doesn't know the actual Item ID (primary key), and any modifications are restricted to it's items.
Cons:
A great deal of extra management must be implemented on the server side for this approach to work.
Any other approaches ?
Please consider that the case mentioned above applies to all entities in the database which a client side implementation can CRUD, so it's not just the simple case described above.
The proposed solution should work for the entire app data.
I know this question has been asked here and here but the first one doesn't have a satisfying answer and I don't think the second one really applies to my situation, since it just deals with the UserId.
Thanks.
EDIT
Please consider the Item above as an aggregate root which contains multiple complex subItems each with a table in the db. And the question applies for them as much as for the main Item. That means that each subItem is passed as a ViewModel to the client.
I should mention that regarding further securing the update request:
For the first approach I can easily check if the user is allowed to change the item. But I should do this for all subItems too.
For the second approach I can check if the user can update the Item as follows: I get the userItemId of the incoming ViewModel -> I get all the logged in user's items from the database and try to find a match with the same userItemId, if I get a hit then I proceed with the update.
I think your application is not secure, if you only hide the Id.
You must check, before changing the database entity, if the user is allowed to change the entity.
In your case you should check, if your Id from the authenticated user is the UserId in your item.
If your ViewModel ist similar or identical for your API you could use a FilterAttribute in your controller.
I'm trying to get a handle on how to use custom Swift classes to model my Syncano backend. I have classes MPUser and MPUserProfile exactly as described in this guide. However, instead of adding an avatar field, I'd like to add a friends list. Should this property be:
An array of MPUsers
An array of MPUserProfiles
An array of integers corresponding to the other users' IDs
Something else?
Edit: their page on classes makes it sounds like I would want an array of type Reference (referring to users' IDs) but their arrays can only have string/int/boolean/float. I'm now wondering if an array of (non-Reference) integers will work fine.
Thank you for your help.
Currently Syncano doesn't support holding arrays of references. It's something we are working on (adding many-to-many relationships), but in the meantime you should could safely just use array type and store ID of referenced objects in there.
When you store array of IDs, you can use either ID of a user, or ID of a user profile.
The connection between them is as follows:
User is a physical user that logs into your app.
His profile is an object that belongs to him.
User A cannot be accessed by user B, but profile of user A can be accessed by user B.
You can get a profile of user A either by using profile ID (object id from user_profile class), or by using user A id (owner field in object inside user_profile class).
Depending on which route you take, you can then ask Syncano for list of all friends doing either:
give me all user profiles, where ID is in [array of user profile IDs]
or, give me all user profile, where owner is in [array of user IDs]
An array of MPUser's definitely. I haven't used Syncano so I may be utterly wrong on this, but having using Couch, Firebase and played with Realm...
The whole idea of key/value/object/document stores like these is that details of the storage are abstracted away in the back end. So you put an MPUser in an array, and when you access that array sometime later you get it back. Totally magic. That the DB itself might physically store that as an Int64 or inline the entire string is of no interest to you - data in, data out.
I suspect you have worked in the SQL world, which is why you put that last option there? Generally that's not how you work in object stores - thank gawd.
I have the table Users and the table Posts.
---Users---
id
name
---Posts---
id
text
User
How do I get the list of users, including the posts? I know how to get the list of posts with the users, because the pointer of the user is in that table. But the users does not have any pointers to posts.
What you want will be a lot of requests. You can easily query for (and paginate) the users. Then, for each user, you need to make another (paginated) request to find Posts with a pointer to that user. For that use whereKey:equalTo: with the bame of the user column on the Post and the current user instance.
Do you have a list of users already, and need to get all of their posts? If so, use the whereKey:containedIn: method. You can also create a query on users that pulls all the users you want to pull the posts for, and then rather than running the query, you create a second query on your posts objects and use whereKey:matchesQuery: which means that the object referenced in the Key is an object that would be returned by the query you pass in. So it'll return all the posts relevant to the users that would be returned from the initial query.
When you run this query, you may want to look into the query.each() method as an alternative to query.find(). query.find() is limited to 1000 results, query.each goes through every single result. This could be a problem when you scale, though, as cloud methods have a 15 second timer, and before/after save triggers have a 3 second timer.
I have two tables which has "photo URL" columns, that contain same image URL. So when I change value in one table, I would like the value in another to update automatically. So how can I set this relationship in Backendless? Like foreign key in SQL.
EDIT:
I have included Users table as property of ActionCreation table. Users have property for URL of logo for the user. In ActionCreation table I need to have exactly the same photo URL. When I included Users as property of ActionCreation, there is no custom properties are loaded form Users object. But I need access photo URL in my app. What the best way to do it?
Thank you.
Is there a relationship between the tables?
How does the same value get into two tables? Do you write it there twice?
Mark
Here's my question:
I need to write a wizard, for customers to "create a new" very big objetc, with some other asociated with it: for example, Some images stored in another table (with relationships), some Lat's and Lang's for google earth, etc.
Each of them are stored in diferent tables in the Database, and that's why, i have to first insert to get the first object's Database generated ID to make the relationships with the another Objects. That's the reason I think puttin' Everything on just one View and hide selective DIVs with Jquery is not one of my option.
Session isn't an option because of the bigger object.
And because of the type of website, the wizard MUST be as follows:
Basic details of objetct 1
Images of object 1 (I will need here the ID of the first object)
Geolocations (with google maps, as before)
More details of object 1.
Preview
Publish
The point is, in step 4, user fill some fields that are required by the DB, and I cannot make them nullable as is it part of the customers reqs.
If somebody can a least give Ideas, will be nice...
Thanks in advance
You state that storing your object in Session is not desirable because of the size of the object. An alternative is to serialize that object and store it in the database. As the user progresses through the wizard, that object gets retrieved, updated and stored back in as a blob. Once they publish it, you can insert the appropriate records and remove the serialized object from whatever table you're storing them in.