In the context of an asp.net website, what's the most efficient way to check whether a User has acce

Posted by scaramouch on Stack Overflow See other posts from Stack Overflow or by scaramouch
Published on 2010-05-26T06:41:38Z Indexed on 2010/05/26 7:01 UTC
Read the original article Hit count: 157

Filed under:
|
|

I have a webpage that you pass in an id parameter (via a querystring), which it then uses to fetch data from a database. Typically, a user would navigate to this page from another page that lists only those records that the user has access to. However, if they go directly to the page by typing in the URL in the Address Bar, they can effectively view any record they like.

Eg. If they were to type something like http://localhost/TestSite/ClientAdmin/ManageLocation.aspx?LocationID=5 into their Address Bar, they can access the database record with the LocationID equal to five - even though they shouldn't have access to it.

Now, I could solve this by doing a database check every time the page is loaded to see whether the current user has access to the record they're trying to view. However this doesn't seem very efficient given that in most cases a user won't be trying to access a record that isn't theirs. Does anyone have a better suggestion?

Thanks.

© Stack Overflow or respective owner

Related posts about ASP.NET

Related posts about sql-server