bypass anything in server? for example if i have a controller like this:
IActionResult Test()
{
// this will check in database that user is admin or not.
var isAdmin = _user.IsAdmin(userID);
if (!isAdmin)
{
return NotFound();
}
//do something.
}
can user / hacker bypass that? in other word hacker can bypass that or hack will happen if i forgot to check that user is admin or not in some where?
If hacker really wanna see it,he can try userID again and again,it will take a lot of time,but hacker can do it
did you mean try to guss which userID is admin? if that you mean so it can't since that userID came from claim and claim is what user used to auth in website.
If this is a server, hacker can try root(administrator in Windows) password again and again.
hacker first should find server the try to hack it but still that is not my answer i am asking about security in my own project not server, firewal ad anything like that
y not use action filter, and have claims set with role as admin at the user login itself
Обсуждают сегодня