Home/ Questions/Q 7760543
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-01T13:55:00+00:00

I have a image gallery like Google+ or Facebook and i want to avoid

  • 0

I have a image gallery like Google+ or Facebook and i want to avoid that a unauthorized person can show a image if he contact on other way the controller (../GetImage/test).

The image is saved on the file system and the path to the image in the database.

A user can only show a image, when the image is public or shared with the user. I want to avoid a SQL query (to check if the user can show the image) on a request to the controller (../GetImage/test), because i dont think, that is a good practice, when i want to load 500 images in one time.

Is there a better practice to check, if the user is authorized to show the image?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    You need to build your data model so that your request for the image contains joins to your authorization system, this way you cannot access an image that you are not authorized to, and it happens in a single query.

    Since I don’t know how your data model is structured, I can only give you a basic exampl, and I assume you’re using Entity Framework for your data access.

    public string GetImage(int id) {
    using (var db = new DataEntities()) {
        return imagePath = (from i in db.Images 
                        where i.AuthorizedUsers
                        .Any(x => x.UserName == User.Current.Name)
                        && i.id == id
                        select i.ImagePath).FirstOrDefault();
    }
}

    Of course this won’t prevent unauthorized users from getting the image if they have the URL to the image, so you would need to return the image directly, not just the path.

    So something like this:

    public ActionResult GetImage(string id) 
{ 
    // code from above

    var dir = Server.MapPath("imagePath"); 
    return base.File(path, "image/jpeg"); 
}
    • 0