Introduce new middleware to deal with suspicious URI arguments

Question

Introduce new middleware to deal with suspicious URI arguments

Closed this issue 7 years ago · 0 comments

Overview

There are three database classes: Foo, Bar and Something, not related to each other
I have a page with IBound interface related to Foo
Url to this page is foo/DbObjectId
Page is secured by ViewFoo permission, which expects Foo object in constructor
There is the PredicateRule like this (the user has ViewFoo only if has ViewSomething as well):

new PredicateRule<ViewFoo>((claim, enforcement, permission)
                => enforcement.CheckPermission(new ViewSomething(permission.Foo.Something)))

There are three DBObjects in database:

Foo with id AA
Bar with id BB
Something with id CC

Different behaviors

URL foo/AA works fine
URL foo/BB creates Null ref exception
URL foo/CC creates Null ref exception
URL foo/ creates Null ref exception

Proposed solution

Additional middleware (before security middleware) which checks for arguments given in URL in the context of requested page. If it's not valid (no object in DB, different object type, no argument at all), developer should be able to decide what's going on (404, unauthorized etc.)

cc @joozek78