Basically, I have a table which contains a few properties for a company. This is the "master" table and their ID is used in many other tables. I basically find their ID via this method:
private Company currentcompany()
{
Company cuco = db.Companies.Single(x => x.username == User.Identity.Name);
return cuco;
}
I need to give users the ability to update various details about themselves stored in this table, which I did perfectly well - however, I noticed a big security hole!
Using Tamper Data on Firefox (And I imagine Fidler/many others), I could easily change the hidden ID and modify another companies details.
To stop this, I added the following lines to the modify action:
Company cuco = currentcompany();
if (company.id != cuco.id)
{
return Content("Security Error");
}
(FYI - Company is a model/POCO representing a company, and company itself is the form data.)
After adding this, if I edit the ID in the form data, it works as expected and brings up "Security Error", however, if there isn't an error and I go on, I get the error in the question.
"An object with the same key already exists in the ObjectStateManager. The ObjectStateManager cannot track multiple objects with the same key."
I believe this is because EF is somehow detecting and keeping the first data pull, but I am just un sure on how to correct it.
Any advice?
edit-
--update--
If you can understand what I am trying to achieve, is there a better way of going around this?
See Question&Answers more detail:
os 与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
