- Sat Jun 17, 2017 6:30 am
#20263
How do a restrict a logged in/authenticated user from making changes to entities they didn't create?
For example, if I have a CustomerAddress entity and repository.
And I have an app service method UpdateCustomerAddress , and pass an address id to update, plus the fields to update.
How do I restrict that method so that only the CreatorUser of the CustomerAddress can update it?
Yes I could use abpsession to pass the user id as well, but that could be compromised in the javascript API calls.
I could create a permission "can update address", but still would need a way to verify that this is their address.
Is there a way to find out who called a method?
Help appreciated!
For example, if I have a CustomerAddress entity and repository.
And I have an app service method UpdateCustomerAddress , and pass an address id to update, plus the fields to update.
How do I restrict that method so that only the CreatorUser of the CustomerAddress can update it?
Yes I could use abpsession to pass the user id as well, but that could be compromised in the javascript API calls.
I could create a permission "can update address", but still would need a way to verify that this is their address.
Is there a way to find out who called a method?
Help appreciated!