I am developing Web APIs using ASP.net for an application. Currently working on implementing role-based user authentication. I am trying to understand how I could prevent authenticated users accessing others data. One approach I am working on is:
A unique key per record per user across all tables. So I could validate the request if it belongs to the requested user or not. But how I could allow the operation if the requested user is an admin?
I could allow this by allowing different requests in the controller based on user validation. In this, I have to pass the user role to data access function to decide if the requested operation is allowed or not.
(If a regular user -> only allowed his record updates (based on the unique key belongs to the user across all tables)) (If an admin -> all operations are allowed)
Are there are any smarter elegant methods?
Thanks, PG
Aucun commentaire:
Enregistrer un commentaire