In the context of an asp.net website, what's the most efficient way to check whether a User has access to a particular record?
I have a webpage that you pass in an id parameter (via a querystring), which it then uses to fetch data from a database. Typically, a user would navigate to this page from another page that lists only those records that the user has access to. However, if they go directly to the page by typing in the URL in the Address Bar, they can effectively view any record they like.
Eg. If they were to type something like http://localhost/TestSite/ClientAdmin/ManageLocation.aspx?LocationID=5 into their Address Bar, they can access the database record with the LocationID equal to five - even though they shouldn't have access to it.
Now, I could solve this by doing a database check every time the page is loaded to see whether the current user has access to the record they're trying to view. However this doesn't开发者_如何学Go seem very efficient given that in most cases a user won't be trying to access a record that isn't theirs. Does anyone have a better suggestion?
Thanks.
Rather then doing an extra check when the page is loaded you could use an INNER JOIN
and effectively return nothing if the access rights aren't there.
If all the indexes are there it shouldn't cost very much.
You could use Page.Request.UrlReferrer to see where they've come from, but it isn't a completely safe way of achieving this.
If each user has 'their own' data, that other users don't have access to, then it sounds like you may want to look at proper multitenancy - though that is often on a per-organisation basis rather than per-user:
http://en.wikipedia.org/wiki/Multitenancy
精彩评论