c# - How to protect a Web API from data retrieval not from the resource owner -


i have asp.net web api.

i want own selfhost web api later on azure website.

a logged in user in browser /api/bankaccounts/3

to details bank account number 3.

but logged in user not owner of bank account number 3.

how have design controllers , services behind logged

in user can retrieve/modify own resources in database?

update

after created a:

public class useractionsauthorizationfilter : authorizationfilterattribute {    public override void onauthorization(httpactioncontext actioncontext)    {        if (actioncontext != null)        {             bool canuserexecuteaction = isresourceowner(actioncontext);            // stop propagation          }    }  private bool isresourceowner(httpactioncontext actioncontext)         {             var principal = (claimsprincipal)thread.currentprincipal;              var useridauthenticated = convert.toint32(principal.claims.single(c => c.type == claimtypes.sid).value);              int targetid = convert.toint32(actioncontext.request.getroutedata().values["id"]);             var requstscope = actioncontext.controllercontext.request.getdependencyscope();             var service = (ischoolyearservice)requstscope.getservice(typeof(ischoolyearservice));             bool canuserexecuteaction = service.hasuserpermission(useridauthenticated, targetid);             return canuserexecuteaction;         } }

the question isresouceowner hardcoded service => schoolyearservice bound schoolyear sql table

i need keep isresourceowner method generically working sql tables having field userid/useremail.

the problem -and think nobody doing way- have map each resource owner check correct sql table in hasuserpermission method.

how should mapping like?

check controller name "schoolyearcontroller" table check "schoolyear" table? thats ridiculous.

this custom attribute "useractionsauthorizationfilter" on every "data" controller.

whatever controller url user triggers fetch data, before have check wether resource owner.

i guess can not decide inside filter.

i have let data retrieval/modification go through controller , resourceowner check inside maybe in repository before data retrieval done.

what think of this:

api

public async task<ihttpactionresult> delete(int id) {    var result = await service.delete(id, user.identity.userid);     if (result == 0)         return notfound();     return ok(); }

repo

    public async task<int> delete(int id, int userid)     {         var schoolyertodelete = await context.schoolyears.singleordefaultasync(s => s.id == id && s.userid == userid);   // if schoolyeartodelete null nothing removed, affected rows zero.         context.schoolyears.remove(schoolyertodelete);        return await context.savechangesasync();     }
  • for method nothing returned wrong userid
  • for create method: no problem, should able create resource if logged in.
  • for update method: same delete method schoolyear retrieved id , userid.

generally spoken every method in repository should consider userid in crud action.

what think?

see following link - covers both authentication (so know requesting) , authorization (so know if authorized see data):

http://www.asp.net/web-api/overview/security/authentication-and-authorization-in-aspnet-web-api

to add other detail - common have columns and/or tables in database define authorization of users. possible (depending on authentication mechanism), authentication provider might providing "claims" or other information define user authorized access. however, potentially less secure need trust source of information , have way ensure hadn't been tampered prior being submitted api.


-

Comments

Post a Comment

Popular posts from this blog

facebook - android ACTION_SEND to share with specific application only -

in android application have 4 buttons facebook , viber , telegram , whatsapp , want share different content based on each button. for example if user clicks on viber button want user action_send share content viber only. i found this explains how facebook , twitter seems it's calling specific class name of application don't know applications wanna use except facebook. all android apps have unique id, first have check if these apps installed in user's device , can pass unique id via intent sharing. according below: unique ids different apps : viber : com.viber.voip telegram : org.telegram.messenger whatsapp : com.whatsapp check if these apps installed , if installed send messages through intent. private void sendmessage(context context,string message, string appids) { final boolean isappinstalled =isappavailable(context, appids); if (isappinstalled) { intent myintent = new intent(intent.action_send); myintent.settype("text/p...
Read more

python - Creating a new virtualenv gives a permissions error -

i'm getting following output when running virtualenv newvenv . traceback (most recent call last): file "/usr/local/bin/virtualenv", line 5, in <module> pkg_resources import load_entry_point file "/usr/lib/python2.7/dist-packages/pkg_resources.py", line 2727, in <module> add_activation_listener(lambda dist: dist.activate()) file "/usr/lib/python2.7/dist-packages/pkg_resources.py", line 700, in subscribe callback(dist) file "/usr/lib/python2.7/dist-packages/pkg_resources.py", line 2727, in <lambda> add_activation_listener(lambda dist: dist.activate()) file "/usr/lib/python2.7/dist-packages/pkg_resources.py", line 2227, in activate self.insert_on(path) file "/usr/lib/python2.7/dist-packages/pkg_resources.py", line 2334, in insert_on self.check_version_conflict() file "/usr/lib/python2.7/dist-packages/pkg_resources.py", line 2373, in check_version_conflict...
Read more

javascript - cocos2d-js draw circle not instantly -

i wondering how draw circles (or other shapes also) not instantly. so far tried drawcircle(args...) in ccdrawnode.js , drawcircle(args...) in cc.drawingprimitivecanvas class, , draw circles popping out instantly on screen. what if want achieve effect circular progressive bar, completes circle based on percentage of initialization? or more generally, if want draw circle respect prolonged period? thinking there drawcircle function elapsed time argument fail find any. or have implement own? thanks suggestions, far out of ideas. i think have implement own. think can achieve update circle drawing on each time update() function called.
Read more