发表新帖
发表新帖

asp.net mvc authorization using roles

前端 未结
关注
5 1850
别那么骄傲
别那么骄傲 2020-12-07 15:11

I\'m creating an asp.net mvc application that has the concept of users. Each user is able to edit their own profile. For instance:

  • PersonID=1 can edit thei
5条回答
  • 执笔经年
    执笔经年 (楼主)
    2020-12-07 15:51

    My $.02:

    Authorized & authenticated are two different things. Simply put, the question is can you do this thing are you supposed to do it? You can pick your friends, you can pick your nose but you can't pick your friends nose! There's no need to check authorization if every role can do it (user has hand and a nose). Have a Post method for users to get to their own profile and test the profile id w/the form's hidden values or redirect (not your nose, go away).

    Have a Get method for editing others profiles and just check for the admin role here - (I'm a doctor, I'm authorized to stick things up your nose)...

    0 讨论(0)
 看不清?
提交回复
热议问题