I designed an MVC app with authorization that works great. In my app, a user can click a link to view a document. The document displays in another tab. If the user saves that link, logs out, and comes back (without logging in), they can paste the link into the browser to see the document. They can also change the parameters in the link to view documents that may or may not be associated with their account. The link is create as:
@Html.ActionLink("View", "CertificatePDF", "Documents", new { wo_nbr = Model.id}, new { target = "_blank" })
This creates the following link: http://xxx.yyy.com/Documents/CertificatePDF?wo_nbr=1000462209
How can I prevent users from viewing/changing documents unless they are logged into the app?
CodePudding user response:
Add the [Authorize]
attribute to your CertificatePDF
action. This should require users to be authenticated. You can add the attribute to your controller class if you want everything to require authentication. Also for the opposite you can add the [AllowAnonymous]
attribute to bypass authentication.