Lets say I have a button (call it btnDeleteUser) that calls an event server-side to delete a user (lets call it DeleteUser()). Say I only set btnDeleteUser.Visible = true on this button if the user is an admin, and its false by default. My understanding is that the .Visible property keeps the button from being rendered to the user at all. Could a hacker still fire the DeleteUser() event, possibly by spoofing the POST data? Or does .NET catch that somehow?
I think the best practice here would be to check the user’s credentials again on DeleteUser() before doing anything, but I’m curious if this is even possible in the first place…
I’m using ASP.NET 4.0 Web Forms (not MVC).
It’s possible to spoof it yes, but Event Validation (assuming you’re using WebForms rather than MVC) should catch it.
However if you’re doing things client side, like adding options to a list and then selecting it, then Event Validation will error because the list doesn’t have its original contents, so people end up turning it off to make their lives easier.
Even if you have left event validation turned on you should have a defence in depth strategy, and role check regardless.