1

Hi guys I have a slight problem may be a hard one I have tried to do this with the following code in the index segment of my review controller:

var Info = db.tblReviews.Include(x => x.tblGame).Where(UserInfo => UserInfo.UserName.Equals(User.Identity.Name)).ToList();
return View(Info);

and within the first create of the review controller I have applied:

ViewBag.GameIDFK = new SelectList(db.tblGames, "GameID", "GameName");
return View(new tblReview { UserName = @User.Identity.Name });

My problem is I am trying to allow people to write reviews on games, av got it so that all users that post a game are unique and the games are only viewable by there own accounts but when it comes to edit/deleting/updating I cant get it so that the user posted the game review can only delete/update/edit there own games and not the other users.

For example I have two made up users called sham and bam, each user can see the games that they have posted on the review page but when it comes to edting/updating and deleting the review both user delete/edit and update each others posts.

This is my review controller:

using System;
using System.Collections.Generic;
using System.Data;
using System.Data.Entity;
using System.Linq;
using System.Web;
using System.Web.Mvc;
using GameTest.Models;

namespace GameTest.Controllers
{ 
    public class ReviewController : Controller
    {
        private gamezoneDBEntities db = new gamezoneDBEntities();

        //
        // GET: /Review/

        public ViewResult Index()
        {
            var Info = db.tblReviews.Include(x => x.tblGame).Where(UserInfo => UserInfo.UserName.Equals(User.Identity.Name)).ToList();
            return View(Info); 
        }

        //
        // GET: /Review/Details/5

        public ViewResult Details(int id)
        {
            tblReview tblreview = db.tblReviews.Find(id);
            return View(tblreview);
        }

        //
        // GET: /Review/Create

        public ActionResult Create()
        {
            ViewBag.GameIDFK = new SelectList(db.tblGames, "GameID", "GameName");
            return View(new tblReview { UserName = @User.Identity.Name });
        } 

        //
        // POST: /Review/Create

        [HttpPost]
        public ActionResult Create(tblReview tblreview)
        {
            if (ModelState.IsValid)
            {
                db.tblReviews.Add(tblreview);
                db.SaveChanges();
                return RedirectToAction("Index");  
            }

            ViewBag.GameIDFK = new SelectList(db.tblGames, "GameID", "GameName", tblreview.GameIDFK);
            return View(tblreview);
        }

        //
        // GET: /Review/Edit/5

        public ActionResult Edit(int id)
        {
            tblReview tblreview = db.tblReviews.Find(id);
            ViewBag.GameIDFK = new SelectList(db.tblGames, "GameID", "GameName", tblreview.GameIDFK);
            return View(tblreview);
        }

        //
        // POST: /Review/Edit/5

        [HttpPost]
        public ActionResult Edit(tblReview tblreview)
        {
            if (ModelState.IsValid)
            {
                db.Entry(tblreview).State = EntityState.Modified;
                db.SaveChanges();
                return RedirectToAction("Index");
            }
            ViewBag.GameIDFK = new SelectList(db.tblGames, "GameID", "GameName", tblreview.GameIDFK);
            return View(tblreview);
        }

        //
        // GET: /Review/Delete/5

        public ActionResult Delete(int id)
        {
            tblReview tblreview = db.tblReviews.Find(id);
            return View(tblreview);
        }

        //
        // POST: /Review/Delete/5

        [HttpPost, ActionName("Delete")]
        public ActionResult DeleteConfirmed(int id)
        {            
            tblReview tblreview = db.tblReviews.Find(id);
            db.tblReviews.Remove(tblreview);
            db.SaveChanges();
            return RedirectToAction("Index");
        }

        protected override void Dispose(bool disposing)
        {
            db.Dispose();
            base.Dispose(disposing);
        }
    }
}

If you require more please let me know thanks

much appreciated

marc_s
  • 732,580
  • 175
  • 1,330
  • 1,459
user1137472
  • 345
  • 2
  • 5
  • 20

1 Answers1

1

It's difficult to answer this without being able to see your data structure, but I will try to help.

I can see in your Index() action that you are getting the user name to retrieve games. So, it looks like your review object stores some reference to the user that created it.

Therefore, on update/delete, just retrieve the user name again, and if it doesn't match the user name on the review object, don't perform the action. 

    public ActionResult Edit(int id)
    {
        //See if this review id was created by the current user
        if(!db.tblReviews.Any(UserInfo => UserInfo.UserName.Equals(User.Identity.Name) && UserInfo.Id == id))
        {
            //Redirect the user away from this edit page, they can't edit this one.
        }

        tblReview tblreview = db.tblReviews.Find(id);
        ViewBag.GameIDFK = new SelectList(db.tblGames, "GameID", "GameName", tblreview.GameIDFK);
        return View(tblreview);
    }
SouthShoreAK
  • 4,176
  • 2
  • 26
  • 48