Introduce new middleware to deal with suspicious URI arguments
Closed this issue · 0 comments
mmnosek commented
Overview
- There are three database classes:
Foo
,Bar
andSomething
, not related to each other - I have a page with
IBound
interface related toFoo
- Url to this page is
foo/DbObjectId
- Page is secured by
ViewFoo
permission, which expectsFoo
object in constructor - There is the PredicateRule like this (the user has
ViewFoo
only if hasViewSomething
as well):
new PredicateRule<ViewFoo>((claim, enforcement, permission)
=> enforcement.CheckPermission(new ViewSomething(permission.Foo.Something)))
There are three DBObjects in database:
Foo
with id AABar
with id BBSomething
with id CC
Different behaviors
- URL foo/AA works fine
- URL foo/BB creates Null ref exception
- URL foo/CC creates Null ref exception
- URL foo/ creates Null ref exception
Proposed solution
Additional middleware (before security middleware) which checks for arguments given in URL in the context of requested page. If it's not valid (no object in DB, different object type, no argument at all), developer should be able to decide what's going on (404, unauthorized etc.)
cc @joozek78