asp.net mvc authorization using roles

Question

I\'m creating an asp.net mvc application that has the concept of users. Each user is able to edit their own profile. For instance:

• PersonID=1 can edit thei

Answer 1

Matt is right.

What the authorisation is for is to show that they're allowed to perform that function - what you're trying to do is say whether they can perform the function for that particular ID.

So two solutions:

1. Like Matt said, make an action that takes no ID, but looks up the current logged in user from the session information, and retrieves them.
2. Make an action that takes an ID, but only allow administrators access - so they can modify other users information if required.

But to answer the question, the Authorisation is only to say "Yes, this person can use the modify user action", not based on the parameter entered.

The other way is that you could make it check that the user retrieved == the current user, or redirect to another action saying that they cannot edit that user - but it'd be better just to provide an action that doesn't take an id, and just gets the current logged in user.