Home/ Questions/Q 8173957
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-06T22:19:45+00:00

Trying to build out an exception if move.UserId does not equal currentUserId then Redirect

  • 0

Trying to build out an exception if move.UserId does not equal currentUserId then Redirect to Action else if move.UserId does equal currentUserId return View.

See code here:

public ActionResult Details(int id)
    {
        MembershipUser currentUser = Membership.GetUser();
        Guid currentUserId = (Guid)currentUser.ProviderUserKey;
        Move move = db.Moves.Where(m => m.UserId == currentUserId)
            .FirstOrDefault();

            if (currentUser != null && currentUser.ProviderUserKey != null && currentUser.IsApproved)
            {
                if (move.UserId == currentUserId)
                {
                    return View(move);
                }
            }

        return RedirectToAction("Oops", new RouteValueDictionary(
 new { controller = "Account", action = "Oops", area = "", id = UrlParameter.Optional }));
    }

I would like to tie it to the url which will bring back Move/(int) so that if the user modifies this to an (int) that returns a move where move.UserId != currentUserId then they also redirect. Currently they can modify Url to obtain other’s moves.

MyController

    public ViewResult Index()
    {
        if (User.Identity.IsAuthenticated)
        {
            MembershipUser currentUser = Membership.GetUser();
            Guid currentUserId = (Guid)currentUser.ProviderUserKey;
            if (currentUser != null && currentUser.ProviderUserKey != null && currentUser.IsApproved)
            {
                var results = db.Moves.Where(move => move.UserId == currentUserId)
                    .ToList();
                return View(results);
            }
        }
        return View(db.Moves.ToList());
    }

    [ClientValidation]
    public ActionResult Details(Move move)
    {
        return View(move);
    }

MyView

@model MovinMyStuff.Domain.Entities.Move
@{
ViewBag.Title = "Details";
    }
<div>

    @Html.DisplayFor(model => model.StartCity),
    @Html.DisplayFor(model => model.StartState)
    @Html.DisplayFor(model => model.StartZip) -
    @Html.DisplayFor(model => model.EndCity),
    @Html.DisplayFor(model => model.EndState)
    @Html.DisplayFor(model => model.EndZip)
</div>
<fieldset>
    <div class="job-details">
    @Html.HiddenFor(model => model.MoveId)
    @Html.HiddenFor(model => model.UserId)
        <ul class="distance">
            <li>
                <div>
                    Distance</div>
            </li>
            <li>1,978.6 Miles</li>
        </ul>
        <ul class="address-wrapper">
            <li>
                <ul class="address from">
                    <li>
                        <div>
                            From</div>
                    </li>
                    <li><span>Address: </span>
                        @Html.DisplayFor(model => model.StartStreetNumber)
                        @Html.DisplayFor(model => model.StartStreetName)
                    </li>
    ...
    </fieldset>
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    The first thing to test is whether the LINQ query returned a Move. If it didn’t it means that the user is trying to display a move that doesn’t belong to him, because in your query you have a .Where clause which restricts to the current user moves only.

    Right now you’re gonna get a NullReferenceException.

    So:

    [Authorize]
public ActionResult Details(int id)
{
    MembershipUser currentUser = Membership.GetUser();
    Guid currentUserId = (Guid)currentUser.ProviderUserKey;
    Move move = db.Moves.Where(m => m.UserId == currentUserId && m.MoveId == id).FirstOrDefault();
    if (!currentUser.IsApproved || move == null)
    {
        // the user is trying to display a move that doesn't belong to him =>
        // redirect him or throw a 403 HTTP exception
        return RedirectToAction("Oops", new RouteValueDictionary(new { controller = "Account", action = "Oops", area = "", id = UrlParameter.Optional }));
    }

    // at this stage we can grant access to the user because we know
    // that he is authenticated, he is approved and that the move he is
    // trying to consult belongs to him
    return View(move);
}

    Obviously if you need to repeat this logic in many controller actions it is worth writing a custom Authorize attribute:

    [EnsureUserAllowedToConsultMove]
public ActionResult Details(Move move)
{
    // at this stage we can grant access to the user because we know
    // that he is authenticated, he is approved and that the move he is
    // trying to consult belongs to him
    return View(move);
}

    And here’s how this custom Authorize attribute might look like:

    public class EnsureUserAllowedToConsultMoveAttribute : AuthorizeAttribute
{
    protected override bool AuthorizeCore(HttpContextBase httpContext)
    {
        var authorized = base.AuthorizeCore(httpContext);
        if (!authorized)
        {
            return false;
        }

        if (!httpContext.Request.RequestContext.RouteData.Values.ContainsKey("id"))
        {
            return false;
        }

        var id = (string)httpContext.Request.RequestContext.RouteData.Values["id"];
        var currentUser = Membership.GetUser();
        var currentUserId = (Guid)currentUser.ProviderUserKey;
        return db.Moves.Any(m => m.UserId == currentUserId && m.MoveId == id);
    }

    protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
    {
        var values = new RouteValueDictionary(new
        {
            controller = "account",
            action = "oops",
            area = ""
        });
        filterContext.Result = new RedirectToRouteResult(values);
    }
}

    Now you have managed to separate the concerns and externalize the authorization logic into a custom authorization attribute. Your controller no longer needs to be polluted with such code.

    • 0