Tell me more ×
Stack Overflow is a question and answer site for professional and enthusiast programmers. It's 100% free, no registration required.
up vote 1 down vote favorite

How can I authorize users based on a posted integer? The Showproduct action shows the product itself. it should only be visible if logged in user owns the product. This is how the Index looks like

//Only accessible if the posted ProductID belongs to a specific artist.
[customauthorization]
public ActionResult ShowProduct(int ProductID)
{
    return view();
}

Every product belongs to an artist. The ArtistID is set in the profilebase.

I have got 2 user roles, 'Normal' and 'Admin'. Normal users can only access the ActionResult ShowProduct if the product is theirs. everything is stored in a database.

I've tried to use custom authorization for this but I can't access the ProductID via the authorization class. Nothing seems to work although I am sure more people are facing this problem. Can anybody help me?

share|improve this question
1  
Can you please describe your domain. A better idea might be to create a ProductCategory or a UserRole and authorise actions on that. Also it's not clear what kind of an action is the Product, did you mean something like Remove or Edit instead? – oleksii 13 mins ago
i've added some more information in the question. No the action shows the product itself. i want to prevent users from viewing someone else his Product – Bernardmoes 9 mins ago

Know someone who can answer? Share a link to this question via email, Google+, Twitter, or Facebook.

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Browse other questions tagged or ask your own question.