i am developing a multi-user website using Dynamic Data and wondered if someone could answer the following or provide advice:
what is the best way of protecting data so someone (who has a login to the site) cannot see records intended ONLY to be viewable by another valid user?
as far as i can see a user can simply tamper with querystring or url values (if using routing) and bring up the details of records they should not.
any help qould be gratefully appreciated. i am drawing a blank so far and the easiest option may be to back to a traditional asp.net site where i can control things simply by use of a Session variable (UserID)
View Complete Post