asp.net mvc3 how to pass ID variable but without in browser

Question

I was wondering how can I pass my primary-key int ID myid into a .tolist method that uses a for each loop

VIEW

@foreach (var item in Model)

{

@Html.ActionLink("View", "detail", new { id = item.myid})

@Html.ActionLink("Add Pictures", "pictures")

}

the .tolist controller

[Authorize]

public ActionResult mylist(list listings)
    {

var showlist = (from s in db.list where getid == s.RegistrationID select s).ToList();

        return View(showlist.ToList());

}

As you can see from above i do have the [authorize] notation on mylist which is were the foreach statement is on so people are logged on already. My question is were can I put the int myid in the @Html.ActionLink("Add Pictures", "pictures") ?? I do not want to have it in the Browser since then users can easily put in different numbers and view other peoples pictures .

Answer 1

You should be passing the id in the url

@Html.ActionLink("Add Pictures", "pictures",new { @id=item.ID})

And in your pictures action method, you should check whether the current User is a logged (Authentication) in user and he has proper permission to add picture (Authorization).

public ActionResult pictures(int id)
{
  //TO DO  : Check the user has sufficient permission to add pictures. 
  // The implementation of this checking is completely up to you.
  // If not authorized redirect to a view to show the "Not authorized" message

}

Answer 2

Can't you just prevent people from looking at other people's pictures by checking if their user id matches the picture's owner's id?

You have to pass the id to the user, you can't avoid it.

Answer 3

That's not where you stop this kind of "hacking". In your controller or somewhere else, you do a check if the current authenticated user owns that photo and redirect him to a page that says "no picture found" - or something similar.