Reviewing Segmenting and Protecting Data6:49 with James Churchill
Let's review the changes that we made to our web app in this section.
Let's review the changes we made in this section. 0:00 You've seen the SQL server object explorer window. 0:03 Let's review the data in the ASP.NET users table. 0:07 Here's our seeded users. 0:18 Notice that the passwords are hashed. 0:20 Now let's review the changes to the entry table. 0:24 Here's our user ID column, and notice that each row has a value populated 0:33 representing the user ID that owns or is associated with that entry. 0:38 Let's close both of those tabs. 0:44 Switch to solution explorer. 0:47 Expand controllers and open the entries controller. 0:49 Now let's set a break point inside each of the entries controller action methods. 0:53 I'll press F9 to set a break point here just inside of the index action 1:01 method Scroll down to Add. 1:05 Then the Post version of Add action method. 1:15 Edit. 1:22 And edit post. 1:26 Delete, and the last one, the delete post action method. 1:32 Then I'll press F5 to debug the app. 1:38 Here's our sign in page. 1:43 If you look up in the address bar, notice this green lock and the word Secure. 1:45 This tells us that we're using HTTPS and SSL. 1:51 I'll go ahead and sign in. 1:57 And just inside of the index action method we're getting ready to call 2:06 the git user ID method on the User.Identity property. 2:10 Press F10, if we hover over the user ID variable, 2:16 we can see the user ID from my account. 2:19 Now, we're gonna pass that user ID into the Git list entries repository method. 2:23 This allows the repository to filter the list of entries 2:29 to the ones that are associated with my account. 2:32 And here's my entries. 2:35 Let's try adding an entry. 2:37 Inside of the Add Action method, here we're getting my UserID, again, and 2:42 we're setting the viewModel.Entry.UserID property. 2:46 Let's view the source of the page by right clicking and selecting view page source. 2:51 I'll make this slightly larger. 2:57 And scroll down a bit. 3:00 Here's our first form, but this is our sign out form. 3:03 Let's scroll down a little bit further. 3:06 Here's what I'm looking for. 3:09 It's an input element of type hidden that contains my UserId. 3:10 Also notice that there's another hidden input element right here. 3:17 This one contains the anti-forgery token that we're using to prevent 3:22 CSFR or cross site request forgery. 3:28 If this token wasn't included as a form value, or 3:31 if the token value was incorrect, the post would fail upon submission to the server. 3:34 Let's go ahead and fill out some values. 3:41 So I'll select basketball for activity and say I played for 3:43 30 minutes at a medium intensity and submit the form. 3:48 Now, we are inside of the add post action method. 3:54 Lets step down, here we are about to get the user ID for my account. 3:57 And we're setting the entries user ID property 4:04 ignoring the one that was sent from the client. 4:08 This is to ensure that the user didn't tamper with the hidden field value. 4:11 Let's go ahead and add the entry, And 4:16 press F5 to continue execution which will redirect us back to the index page. 4:20 And here we are with our message saying that the entry was successfully added. 4:28 Now, let's edit that same entry by clicking the Edit button on its row. 4:34 Here we are in the Edit Get Action Method. 4:41 If we step down, we'll see the call to the GetUserId method, again. 4:44 And remember, we're passing in the userId into the entriesRespository 4:48 Get action method along with the id of the entry that we're trying to retrieve. 4:53 Doing this prevents users from hacking the URL 4:58 in an attempt to retrieve another users entry. 5:01 Let's change the activity and submit the form. 5:05 Let's step down. 5:11 Here we are getting a reference to our entry model, and 5:14 here we're getting the user ID, again. 5:17 This time, before we update the entry, we're calling the entry's repository 5:21 EntryOwnedByUserId method passing in the entry.Id and the userId. 5:26 We're doing this to ensure, again, that the combination of the entry ID and 5:31 user ID is valid. 5:36 In here, we're going to override EntryUserId property with the user 5:39 Id of the current user. 5:43 And after updating the entry, 5:46 we're redirected back to the entry's index route. 5:48 In here is our message that our entry was successfully updated. 5:53 Now, let's delete that entry. 5:59 Here's the delete Get action method, and 6:02 again, we're passing that into the entriesRepository.Get method in order to 6:05 ensure that this entry belongs to our user. 6:10 We click the Delete button to delete the entry. 6:16 And in the delete post action method, we're getting our user ID, again. 6:19 And we're calling it entriesRepository.EntryOwnedByUserId 6:24 method to check to make sure that this entry is, in fact, 6:28 owned by the current user. 6:31 Our entry has been deleted. 6:36 And now we're back at our entry's list page with the message letting us know that 6:39 our entry was deleted. 6:43 Now we're back to just four entries. 6:46
You need to sign up for Treehouse in order to download course files.Sign up