Home/ Questions/Q 6476415
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-25T06:49:24+00:00

My MVC application consists of Admin and normal users. Admin users can register as

  • 0

My MVC application consists of Admin and normal users. Admin users can register as different customers using the system, and they can add their respective users to the system.

The controllers already have Authorize filters on certain controllers to prevent unauthorised access to certain pages/json.

However, say I have an admin user logged in, what prevents them from inspecting the Json posts/gets in the JavaScript and manually calling a ‘get’ with the Id of the specific data to be viewed? e.g. /Users/1

Testing my application, I could post an AJAX get, to retrieve the details of another user in the system which was not under the management of the current authenticated user.

I could write access check methods whenever a service method is called to see if the user can view the data. Are they any good ways of solving this problem without littering the application with access check methods all over the place?

e.g. Current Implementation

public class PeopleController : ApplicationController
{
    public ActionResult GetMemberDetails(int memberId)
    {            
        var member = _peopleService.GetMemberById(memberId);
        return Json(member, JsonRequestBehavior.AllowGet);
    }
}

public class PeopleService : IPeopleService
{
    public MemberModel GetMemberById(int memberId)
    {
        // Void function which throws Unauthorised exception
        MemberAccessCheck(memberId);

        var member = Mapper.Map<Member, MemberModel>(_memberRepository.GetById(memberId));
        return member;
    }
}

The MemberAccessCheck function is called lots of times in my service.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    You’re going to have to write these checks inside your controller or service. I dont think you should use a custom attributefilter for this behaviour because you are basically filtering data from a service layer standpoint. Nor is Auhorize attribute suitable for this featire also.

    What I suggest is that you have a service method that accepts the current userId from the controller (take the User.Identity) and send it to the service to get the list of user’s or single user that they can view/modify. So its not necessarily littering with access checks, but it would be how your service operates (a business rule).

    Eg of Service Method:

    User GetAdminUser(int userId, int adminId);
List<User> GetAdminUsers(int adminId);

    Or, just overload your previous service

    User GetUser(int userId);
User GetUser(int userId, int adminId);
    • 0