i have the following Ajax.actionlink inside a view to add an answer under a question:-
@Ajax.ActionLink("Add Answers",
"Create", "Answer",
new { questionid = question.QuestionID},
new AjaxOptions
{
InsertionMode = InsertionMode.Replace,
HttpMethod = "Get",
UpdateTargetId = "removetable"
})
while will call the following action method:-
public ActionResult Create(int questionid)
{
ViewBag.IsRight = new SelectList(repository.FindAllAnswerDescription().ToLis(), "IsRight", "description", 1);
ViewBag.questionid = questionid;
Answer answer = new Answer();
return PartialView("_answer",answer); }
so my question is will a hacker be able to modify the new { questionid = question.QuestionID}, parameter send by the ajax link ? and if yes how i can avoid this.
BR
Edited:-
i am doing the following check using a helper method (IsauthorizedBy) on the post action method to check if the user is authorized to answer a question or not:-
[HttpPost]
public ActionResult Create(int questionid, Answer a)
{
q = repository.findquestion(questionid);
if ((q == null) || (!q.IsauthorizedBy(User.Identity.Name))){
return ("error");}
if (ModelState.IsValid)
{
repository.AddAnswer(a);
repository.Save();
return PartialView("_details",a);
}
return(a);}
so will it handel a hacker who will try to modify the question id and answer a question he is not authorized to answer.
BR
Yes but you want to ensure on the server side they have access to this question by querying their permissions and some database scheme in place ensuring they have access to this. If it’s not feasible then you can use
Html.AntiModelInjectionFor from
mvcsecurity.codeplex.com plus
[ValidateAntiModelInjection()]