Before worrying about direct object reference issues first check that your controllers and actions are secured.
Does every controller have [Authorize(XXX)] added to it? If not understand why
Then for those controllers missing [Authorize(XXX)] check each action has [Authorize(XXX)] applied to it. Again if this is missing ask why is it missing? Does it make sense for the action to support Anonymous Access?
Also search for [AllowAnonymous] in your *.cs files – again is this reasonable where it is has been applied.
At least at this point you are confident that everything that requires authorisation has it applied.
Next you need to think about what data is segregated and how it is segregated.
- Do you have user profiles? Well presumably a user should not be able to view\edit some else’s profile
- Do you have the concept of an organisation? well presumable a user in one organisation should not be able to see data for another organisation
- Is it a multitenancy system?
- And so on.
Once this exercise is completed look for code to check access rights where appropriate. Also certain operations may only be available depending on a records state. The code in your action should look something like below.
public ActionResult CompanyOrder(int id)
{
//// First check if the user is allowed to see the record. Check against the database that the user has access and if not throw an exception or retun httpnotfound() or something
CheckUserCanAccessOrder(User.Identity.Name, id);
//// Second check the order is in the correct status for the action. Perhaps in this case only orders that are “Open” can be accessed via CompanyOrder and if not throw an exception or retun httpnotfound() or somemthing
CheckOrderOpen(id);
//// now get order and return the correct view
The post logic is much the same only you will want to check that the model is valid.
At least now if someone tampers with an id in a URL they get an error page as oppose to someone else’s data.
