Home/ Questions/Q 6720733
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-26T09:14:49+00:00

This is quite hard for me to explain but I try to do my

  • 0

This is quite hard for me to explain but I try to do my best.

I have an application with multiple users with logins. These users can have some employees attached to them. I wish to avoid users viewing/editing other employees that does not belong to them.

I have a User class like so:

public class User
{
    public int ID { get; set; }
    public string Name { get; set; }

    public User()
    {
    }

    public User(int userid)
    {
        //
        // Gets the user from the database and fills the properties
        //
    }
}

And a Employee class like this:

public class Employee
{
    public int ID { get; set; }
    public string Name { get; set; }

    public Employee()
    {
    }

    public Employee(int employeeid)
    {
        //
        // Gets the employee from the database and fills the properties
        //
    }
}

The problem in this is like when I edit an employee the querystring in the application can be like:

~/EditEmployee.aspx?id=1

Where the id is the ID of the employee. By quickly editing this ID I can be lucky to fetch an employee that does not belong to the current user logged in.

While this can be solved by having a 

public Employee GetEmployee(int id) 
{
    // Gets the employee (using this.ID as UserID) from the database
}

method on the User object, that supplies the stored procedure with the User.ID property and checking up with:

SELECT * FROM EmployeeTable WHERE EmployeeID = @EmployeeID AND UserID = @UserID

But with this I ALWAYS have to create an instance of the User object to get an employee.

This makes the Employee(int id) on the Employee object obsolete.

Is there not any other way around?

The question for this is that I am in the situation where I do not want to make an instance of the User object to get an employee because I am 100% sure I have the right employee ID. (To avoid too many database calls).

Do I really have to keep the Employee(int id) on the Employee object and create a new stored procedure that does not check up on UserID?

This example is fictive. Best way to explain it than pasting hundreds of lines of code and object. Maybe I am too much of a performance freak. But I just wish to improve my way of doing multiple user sites.

I really hope this will explain it well, I tried my best. 🙂

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    I think the most basic issue here meep is that you are mixing your code/object instantiation with your DataAccess.

    I would suggest that you seperate the two. Don’t use the Constructor of the object as a way of retrieving data from your database. Have a seperate DataAccess layer that performs the queries, and then Hydrates your Employee Object.

    if the employee data can only be retrieved in the context of the Current User, then you need to:
    a) Keep that userId available during your web session
    b) pass that userId to every database query as a filter to make sure only the correct data is returned.

    • So just create the User object once at the start. (i.e. when they login)
    • Put that User object into Session/Cache
    • Everytime you go to the database, pass that UserId as well as the EmployeeId to the Query.

    Edit

    Just to emphasize, I wasn’t suggested mixing session vars into your DataAccess.
    You could have some property on your Page/BasePage for storing the user Object in session. e.g.

    public User CurrentUser {
    get { 
        return Session["CurrentUser"] != null ?
            (User) Session["CurrentUser"] :
            null;
    }
    set { Session["CurrentUser"] = value; }
}

    You would populate that object with the User Object when the user logs in. Then you can go back and get it at any time. e.g.

    protected void Page_Load(object sender, EventArgs e)
{
     var empId = //Code to get it from Query String.
     var userId = this.CurrentUser.UserId;
     Employee e = DataAccess.GetEmployee(empId, userId);
     if(e != null) 
         //Do funky stuff
}
    • 0