Security for user editing only their own content

Web/Attributes/LogOwnerAuthorizeAttribute.cs

@@ -0,0 +1,32 @@
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Security;
+using System.Web;
+using System.Web.Mvc;
+using MileageTraker.Web.DAL;
+using MileageTraker.Web.Models;
+
+namespace MileageTraker.Web.Attributes
+{
+	public class LogOwnerAuthorizeAttribute : AuthorizeAttribute
+	{
+		protected override bool AuthorizeCore(HttpContextBase httpContext)
+		{
+			var authorized = base.AuthorizeCore(httpContext);
+			if (!authorized)
+			{
+				return false;
+			}
+
+			var rd = httpContext.Request.RequestContext.RouteData;
+
+			var id = int.Parse(rd.Values["id"].ToString());
+			var dataService = new DataService();
+			var log = dataService.GetLog(id);
+
+			var userName = httpContext.User.Identity.Name;
+			return log.User.Username == userName;
+		}
+	}
+}

Web/Controllers/CreateLogController.cs

@@ -1,5 +1,6 @@
 using System;
 using System.Linq;
+using System.Security;
 using System.Web.Mvc;
 using MileageTraker.Web.Attributes;
 using MileageTraker.Web.Models;
@@ -36,6 +37,7 @@ namespace MileageTraker.Web.Controllers
 			return View(model);
 		}
 
+		[LogOwnerAuthorize]
 		public ActionResult EditPast(int id)
 		{
 			var log = DataService.GetLog(id);
@@ -53,6 +55,8 @@ namespace MileageTraker.Web.Controllers
 			if (ModelState.IsValid)
 			{
 				var log = DataService.GetLog(viewModel.LogId);
+				if (log.User.Username != User.Identity.Name)
+					throw new SecurityException();
 				viewModel.SetProperties(log);
 
 				if (viewModel.Purpose != null)

Web/Views/CreateLog/EditPast.cshtml

@@ -16,7 +16,7 @@
         @Html.EditorForModel()
         <div class="form-actions">
 	        <input type="submit" value="Update" class="btn btn-primary" />
-			@Html.ActionLink("Cancel", "Index", new {}, new { @class = "btn btn-mini" })
+			@Html.ActionLink("Cancel", "Index", new {}, new { @class = "btn" })
         </div>
     </fieldset>
 }

Web/Web.csproj

@@ -112,6 +112,7 @@
     <Compile Include="Attributes\FormatHintAttribute.cs" />
     <Compile Include="Attributes\HttpParamActionAttribute.cs" />
     <Compile Include="Attributes\InputSizeAttribute.cs" />
+    <Compile Include="Attributes\LogOwnerAuthorizeAttribute.cs" />
     <Compile Include="Attributes\NoEditLabelAttribute.cs" />
     <Compile Include="Attributes\UnitsAttribute.cs" />
     <Compile Include="Attributes\UserActivityAttribute.cs" />