I am working on an ASP.NET MVC5 project with Repository pattern for the first time. It has lots of roles and there will be number of user in each role. Till now, I have created various model entities and add, update, delete scenarios are working fine. During testing things, I found that a user is able to update those entities that do not belong to him/her.
I want to restrict the user to access, edit, update, delete only those entities (Rows in db) that belong to the user itself, not the other ones.
I know, I need to check somewhere the userId of the current logged in user, but where should I put this where condition in case of Repository pattern with Entity Framework.
Two ways that come to my mind are: Changing the models to have userId property in each entity or joining each entity with it's parent entity to get the related user details (The complete chain of entities to get the userId).
What would be the preferred way to implement this? Thanks!
Aucun commentaire:
Enregistrer un commentaire