Home/ Questions/Q 7034025
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-28T01:08:10+00:00

I have a Note domain object which belongs to a Document object. Only an

  • 0

I have a Note domain object which belongs to a Document object. Only an owner of a Document can add Notes so in the Document class there is a canUserAccess() method. In my service layer I can call canUserAccess() to ensure a user only adds Notes to Documents they own.

This works well for create but I have hit a problem with my Note edit action. On post, the viewmodel is mapped to a Note object, providing it with a DocumentID. Problem is, a malicious user could send in a DocumentID on which they do have permission and thus edit a Note belonging to a Document they don’t. In my service layer I cannot reliably use the supplied DocumentID yet I need to get the related DocumentID in order to verify that the user can edit the Note. This is an example:

public void editNote(Note note)
    {
        note.Document = documentRepository.Find(note.DocumentID);

        if(note.Document.canUserAccess())
    }

How do I get around this? It seems I need to avoid passing the DocumentID with the edit viewmodel but how do I hydrate the related Document in the service layer? There is probably a really simple solution to this and I am just tying myself up in circles!

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    You do this with BindAtrribute for the model or for the action method by adding a white list with the properties you want to be bound :

    for the model

    [Bind(Include="NoteText,NoteTitle")] 
public Model{}

    for the action method

    public ViewResult Edit([Bind(Include="NoteText,NoteTitle"]Note note)){}

    or use a black list for the properties you don’t want to bind :

    [Bind(Exclude="DocumentID")] 
public Model{}

    I would personally use white list with the model class. You might find this article interesting. The last section for under-posting is your case.

    Then you don’t have the documentID passed, but in your action you can do this:

    public ViewResult Edit(Note note)
{
  Note updateNote = nodesRep.Get(note.noteID);

  if(updateNote.Document.canUserAccess())
  {
      //replace the values of the updateNote
      //you can place this line in your base Repository class 
      context.Entry<Note>(updateNote).CurrentValues.SetValues(note); //I assume EF 4.1
  }  
}
    • 0