I’m building a small application that will have multiple users using ASP.NET MVC, but I’m not sure how to handle user authorisation in the scenario below. I may be missing something obvious as I’m still learning, so any advice is appreciated.

Basically, to illustrate my problem, consider that I’m building a very small email like messaging system. Here is the action to read a message:

/Message/ReadMessage/1

Where Message is the controller, ReadMessage the action and 1 is the MessageId.

Now this message was for “Bob” and in the db his UserId is stored with the message. Another user called “Fred” has also received a message and the MessageId for this is 2.

In my application, there would be no way for Bob to see Fred’s messages on the page directly or through links (messages should be private to each user), so what is the best way for me to protect from Bob simply changing the MessageId in the URL manually from 1 to 2 and viewing Fred’s message?

As a current solution to this, I have a very simple check at the beginning of my controller action which compares the UserId stored with the message to the current UserId and if they don’t match, the user is redirected (to say, their inbox).

Is this a suitable solution for such a scenario? I get the feeling that while this works now, it isn’t the best approach to this problem. Thanks for the help.