c# - In Entity Framework where should you check if the user has permission to Get or Set the data in DbSet/DbContext? -
i have model in mvc looks
public class pdffile { [key] [databasegeneratedattribute(databasegeneratedoption.identity)] public int id { get; set; } public string info { get; set; } //this bytearray of pdf file public int datacount { get; set; } public datetime created { get; set; } public datetime lockedon { get; set; } public string createdby { get; set; } public string securityinfo { get; set; } // xml check security level public string usergroup { get; set; } } and in dbcontext have
public dbset<pdffile> pdfset { get; set; } and in identity model have variable usergroup
public string usergroup { get; set; } now in controller everytime have check if user has permission access pdf file have do
[authorize] [nousergroupnoaccess] // custom filter ensure user has usergroup & not null or empty public actionresult sendsingleitem(int? id) { var model = db.pdfset.find(id); if (model != null && model.usergroup == user.usergroup) { homecoming view(model); } homecoming null; } now imagine scenario everytime have access model either edit details, delete etc have check
if (model.usergroup == user.usergroup) // plus have check xml in secureinfo individual each user when editing or deleting for lists have do
var dblist = db.pdfset.tolist(); dblist = dblist.where(u => u.usergroup == user.usergroup).tolist(); this makes controller code ugly , hard debug on error there way can these checks in dbcontext straight when editing, creating, deleting, accessing record?
i not sure if right method security check users.
i agree makes code ugly , hard maintain it's not thought coupling info access cross cutting concerns. consider using role. create role , determine role has access part of application assign user role. create role , name pdfaccess , utilize authorize attribute role:
[authorize("pdfaccess")] [nousergroupnoaccess] public actionresult sendsingleitem(int? id) c# asp.net-mvc entity-framework
No comments:
Post a Comment