There are two pages, one with a list of users, the other, which opens when you click edit in this list next to a particular user. For example, users.aspx and edituser.aspx. It is necessary to somehow ban access to edituser.aspx (for example, www.blabla.com/edituser.aspx), but to have access to this page, provided that I got to it from the users.aspx page. How can this be implemented?
1 answer
You can consider the property Url.Referrer
string referrer = HttpContext.Request.UrlReferrer == null ? "" : HttpContext.Request.UrlReferrer.AbsoluteUri if(!referrer.ToLower().Contains("users")) { RedirectToAction("Access denied") } but there are problems with this path (the referee may be empty, and the known bug with Https too)
The second way is to send verification from the link.
@Html.ActionLink("Method","Controller", new {bool show = true})
(adjusted for Razor engine)
and fill the controller itself with a type check
if(!show) RedirectToAction("Access denied")
but this is evil - the user can create a machine-friendly query like www.blabla.com/edituser.aspx?show=true
Only one correct method remains. To delimit the user from accessing the edituser.aspx method as well as to users.aspx, that is, at the business logic level, place them in one access cluster.
Try to separate the application layer, so that the view does not know about the controller and the controller did not know about the database.
Erkin Mukhamedkulov Erkin Mukhamedkulov
166 one ten
|
Request.UrlReferrer- from honest people. - Igor