Home/ Questions/Q 6109461
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-23T14:24:26+00:00

I am designing an MVC 3 application where multiple tenants reside in a single

  • 0

I am designing an MVC 3 application where multiple tenants reside in a single database.

What is the best way to prevent users from editing/viewing other tenants data in MVC? (i.e. someone could type in ‘/People/Edit/1’ and edit the person with Id of 1- regardless of wether they are part of the tenants data or not).

I know I can override ‘OnActionExecuting(ActionExecutingContext filterContext)’ for each controller- but it sounds crazy to have to handle each action seperately, get the ID or OBJECT depending on if its a POST or GET and then check if the operation is allowed.

Any better ideas?

Also, I do not want to go down the route of creating a different database or schema for each tenant.

Thanks in advance.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Original answer

    To solve the problem quickly use guids instead of a auto-increasing integer. However this is just delaying the problem.

    One of the things you can do is to role your own authorize attribuut http://msdn.microsoft.com/en-us/library/system.web.mvc.authorizeattribute.aspx Or you can chose to create a global actionfilter. http://www.asp.net/mvc/tutorials/understanding-action-filters-cs

    Addition information on how you could do it based on request in comment

    public class MySuperFilter : ActionFilterAttribute
    {
        //Called by the MVC framework before the action method executes.
        public override void OnActionExecuting(ActionExecutingContext filterContext)
        {
            String user = filterContext.HttpContext.User.Identity.Name;
            int id = int.Parse(filterContext.RouteData.GetRequiredString("Id"));
            if (!IsValidUser(user,id))
            {
                filterContext.Result = new RedirectToRouteResult(
                        new RouteValueDictionary {{ "Controller", "YourController" },
                                      { "Action", "YourAction" } });


            }

            base.OnActionExecuting(filterContext);
        }

        private bool IsValidUser(string user,int id)
        {
            //Check if the user has acces to the page
            return true;
        }
    }
    • 0