Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • Mila Pandurska 75 posts 353 karma points
    Mar 24, 2018 @ 21:40
    Mila Pandurska
    0

    Prevent logged user from editing data which does not belong to him

    I have Members in my Umbraco 7 website. Each member can login to the front-end site and edit pages which only the member can edit. I use UmbracoIdentity for managing Members. I have a custom property Page (MNTP) on my Member doc Type which specify which pages a Member can edit. On user profile page I show a list with the alloed pages for edit from this custom property like this:

     var pages = profileModel.MemberProperties.FirstOrDefault(p => p.Alias == "pages").Value;
    foreach (var item in pages.Split(','))
    {
        DetailsPage obj = Umbraco.TypedContent(item) as DetailsPage;
        <a href="/[email protected]">@obj.H1Title</a> 
     }
    

    When a member clicks on the link (domain.com/edit-page?pageId=3242) I have action method which loads data for the page:

    @Html.Action("GetPageDetails", "Edit", new { id = pageId })
    

    What I want to prevent is if a Member change pageId query string manualy and his custom property Pages does not contain this pageId to redirect him to user profile page with the list with his allowed pages. I need an idea how to restrict logged in member to edit only the pages that are assigned in the property Pages. I have successfully added the pages IDs in Claims and I can perform the check in each method. But my methods are a lot. Is there some best practice or a solution which does not require to go over all methods.

    Thanks

Please Sign in or register to post replies

Write your reply to:

Draft