我正在开发具有安全性的自定义控件。当用户无权访问该控件时,该控件将使其自身禁用,但也将变为不可见。该控件未呈现,也没有出现在页面上。至此,一切都很好。
我的问题是如何确保控件防止用户更改值?
我已经使用Chrome HTML Inspector在表单中注入了输入,因为应该像它应该显示的那样,该字段不会呈现,当我使用注入的输入提交具有新值的表单时,服务器在控件中具有新值价值属性。
public enum UserRole {
Standard,
Administrator,
[...]
}
//For this example, my custom control is derived from HtmlInputText. [ToolboxData("<{0}:MyCustomControl runat=\"server\"></{0}:MyCustomControl>")]
public class MyCustomControl: System.Web.UI.HtmlControls.HtmlInputText
{
public UserRole? MinimumRoleRequired { get; set; }
protected override void OnLoad(EventArgs e)
{
//Simplified version
if (this.Page.CurrentUser.Role < this.MinimumRoleRequired)
{
this.Visible = false;
this.Disabled = true;
return;
}
[...]
}
protected override void Render(HtmlTextWriter writer)
{
if (!this.Visible || this.Disabled)
{
return;
}
[...]
}
[...]
}
//My page who contain the control:
//HTML (MyPage.aspx)
<Controls:MyCustomControl ID="tbAdminOnly"runat="server"></Controls:MyCustomControl>
//C# (MyPage.aspx.cs)
public partial class UserEdit : Page
{
protected override void OnInit(EventArgs e)
{
this.tbAdminOnly.MinimumRoleRequired = UserRole.Administrator;
[...]
}
protected override void OnLoad(EventArgs e)
{
base.OnLoad(e);
if (this.IsPostBack)
{
string postBackValue = tbAdminOnly.Value;
return;
}
tbAdminOnly.Value = "Hello world!";
}
}
当我以标准用户身份加载页面时,不会呈现控件。但是,如果我将输入内容插入html页面
//Note, i need to know the valid name/id but it could be done.
<input type="text" name="tbAdminOnly" id="tbAdminOnly" value="Damn shit">
postBackValue现在是注入的输入中的新值。我该如何预防?
谢谢。