Home/ Questions/Q 8764309
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-13T16:00:14+00:00

What options/solutions are there for securing data using Entity Framework? I do not talk

  • 0

What options/solutions are there for securing data using Entity Framework?

I do not talk about forms login and such here, just assume that the users are authenticated or not.

To illustrate, i attached one of my web api controllers and i wonder if this is the way to do it. The reason why i ask is that i wonder if there are easier ways to do this than writing all this logic to what data to expose in all my controllers.

Also, when looking into a system like breezejs and odata where i can add $expand=TrafficImages to my queries, i would not want users to be able to get my hole database.

So to summarize, what ways are there to securing the data exposed such the users cant download sensible data.

[AllowAnonymous]
public object GetTheoryTests()
{
    var identity = ((ClaimsIdentity)((ClaimsPrincipal)HttpContext.Current.User).Identity);
    //if (HttpContext.Current.User.Identity.IsAuthenticated)


   if (!identity.IsAuthenticated)
     return db.TheoryTests.Include(t=>t.TrafficImages).Where(t=>t.PublicAvalible)
            .Select(t => new { Id = t.Id, Title = t.Title, Images = t.TrafficImages }).AsEnumerable();

   if (User.IsInRole("WebAdmins"))
       return db.TheoryTests.AsEnumerable();

    var key = identity.GetProvider();

    var member = db.Members.Include(m=>m.PayedTheoryTests).SingleOrDefault(m=>m.Identities.Any(
        i=>i.identityprovider == key.provider &&
        i.nameidentifier == key.id));
        if(member!=null)
            return db.TheoryTests.Include(t => t.TrafficImages).Where(t => t.PublicAvalible).Select(t => new { Id = t.Id, Title = t.Title, Images = t.TrafficImages }).AsEnumerable();
        else
            return db.TheoryTests.Include(t => t.TrafficImages).Where(t => t.PublicAvalible)
                .Union(member.PayedTheoryTests).Select(t => new { Id = t.Id, Title = t.Title, Images = t.TrafficImages }).AsEnumerable();



}

When thinking about it, what i miss is something like a viewmodel untop of my database depending on the state of the user. Would it be a solution to create two entity frameworks ontop of the same database, one for limited data display and one for more advanced operations?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Meanwhile, until QueryInterceptors arrive, you should take other steps. First, you should look into the techniques for securing a Web API controller or method, a subject beyond the scope of this answer.

    Second, w/r/t $expand, you are quite right to be wary of that feature. You may want to inspect which expansions are requested for some controller methods and/or disallow it altogether for others.

    Fortunately, this is relatively easy to do. You have access to the request query string. You can detect the presence of “$expand” in that string and analyze it if you want to allow certain expansions and forbid others.

    Breeze will add helpers for this in future. You’ll have to process the string until then.

    You may want to create your own action filter for this purpose if you’re up to it.

    • 0