Page security

J

Jon

Hello all.

Just after some help with handling page security.

I'm writing an app that has a number of companies. Each company has a number
of employees, standard stuff.

If I have a user who is a member of one company, they can request to see all
the that companie employees, however, if they hack they query string so that
the company ID is now not the company ID they belong to, they can see all the
employees for another company, bad!

How can this be stopped so that a ' Not enough Permissions' style error
occurs?

I'm using forms authentication and have set up the SiteIdentity and
SitePrincial objects.

I'm also interested in any kind of address encryption or masking.

Thanks all,

JY
 
D

Dominick Baier [DevelopMentor]

Hi,

assign roles to your users like "ComanyA"

do a role check before they access the customer data.

Set up the roles in AuthenticateRequest - and use Page.User.IsInRole later.
 
J

Jon

Hi Doninick,

Thanks for that.

What about a situation where the user may be looking at data that is related
to companyA, such as tasks, where the Company information is not supplied?

Thanks,

Jon
 
J

Jon

Hi Dominick,

Yeah sure.

This is my database: Company -< Projects -< Tasks (-< = one - many)

If I a user from CompanyB tries to view CompanyA projects, I can catch that
in the Page.User.IsInRole("CompanyA") method, as you explained in your
previos post.

However, if the user from CompanyB tries to view a Task from CompanyA, (by
hacking the querystring), it will appear. Now although the Task is linked to
a Company, via Projects, at the point the user views a SINGLE Task, the
Compnay to which it is linked to is not availible, so the
Page.User.IsInRole() method woundn't satisfy.

My basic problem is not allowing a user to see information that belongs to a
Company, but is associated to it via a link table etc.

Does that help?

Thanks.

Jon
 
D

Dominick Baier [DevelopMentor]

Hi,

well i guess you have to somehow do an access check in your application -
simply changing the query string is lame of course :))

Change the architecture somehow that you will be able to link the task to
a company and check that before retrieving the record...

Sorry can't give you a better advise without looking at the db/code myself...

HTH
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

I'm tempted to quit out of frustration 1
How to use PDF-lib and how to center each line of texts on the page? 1
Sending data from web page to Raspberry Pi 0
Sharing ASPNET security 3
How to go about building a crud app when you are a noob 1
Help with Javascript on my wordpress page 1
How to Design a Cross Network app 0
Applets security and HTMLets 10

Members online

No members online now.
Total: 59 (members: 0, guests: 59)
Robots: 85

Forum statistics

Threads
473,780
Messages
2,569,611
Members
45,268
Latest member
AshliMacin

Latest Threads

Top