Maybe you could organize the controller action such that the URL is more like http://localhost/person/editmeand it displays the edit form for the currently-logged-in user. That way there's no way a user could hack the URL to edit someone else.

也许您可以组织控制器操作，使 URL 更像http://localhost/person/editme，并显示当前登录用户的编辑表单。这样，用户就无法破解 URL 来编辑其他人。

My $.02:

我的 $.02：

Authorized & authenticated are two different things. Simply put, the question is can you do this thing are you supposed to do it? You can pick your friends, you can pick your nose but you can't pick your friends nose! There's no need to check authorization if every role can do it (user has hand and a nose). Have a Post method for users to get to their own profile and test the profile id w/the form's hidden values or redirect (not your nose, go away).

授权和认证是两件不同的事情。简单地说，问题是你能做这件事你应该做吗？你可以抠你的朋友，你可以抠你的鼻子，但你不能抠你朋友的鼻子！如果每个角色都可以（用户有手有鼻子），则无需检查授权。为用户提供一个 Post 方法来访问他们自己的个人资料并测试带有表单隐藏值的个人资料 ID 或重定向（不是你的鼻子，走开）。

Have a Get method for editing others profiles and just check for the admin role here - (I'm a doctor, I'm authorized to stick things up your nose)...

有一个 Get 方法来编辑其他人的个人资料，只需在此处检查管理员角色 - （我是一名医生，我被授权把东西塞进你的鼻子）......

A more elegant solution would be to write your own Authorization action filter, either by extending [Authorize], or implementing IAuthorizationFilter, as follows:

更优雅的解决方案是编写自己的授权操作过滤器，通过扩展 [Authorize] 或实现 IAuthorizationFilter，如下所示：

public class AuthorizeOwnerAttribute: FilterAttribute, IAuthorizationFilter
{
    #region IAuthorizationFilter Members

    public void OnAuthorization(AuthorizationContext filterContext)
    {
        // add logic here that compares the currently logged in user, to the owner of the profile that is being edited
        // get currently logged in user info from filterContext.HttpContext.User.Identity;
        // get profile being edited from filterContext.RouteData or filterContext.Something
    }

    #endregion
}

I'm not sure on what the actual logic would be that goes into the OnAuthorization method, but my comments should give you a starting point. You'd have to Google to find out more - how to redirect the user to a different view, or whether to throw an strongly typed exception that is handled somewhere else (maybe in a [HandleError] attribute).

我不确定 OnAuthorization 方法的实际逻辑是什么，但我的评论应该给你一个起点。您必须通过 Google 了解更多信息 - 如何将用户重定向到不同的视图，或者是否抛出在其他地方处理的强类型异常（可能在 [HandleError] 属性中）。

Matt is right.

马特是对的。

What the authorisation is for is to show that they're allowed to perform that function - what you're trying to do is say whether they can perform the function for that particular ID.

授权的目的是表明他们被允许执行该功能 - 您要做的是说明他们是否可以为该特定 ID 执行该功能。

So two solutions:

所以有两个解决方案：

1. Like Matt said, make an action that takes no ID, but looks up the current logged in user from the session information, and retrieves them.
2. Make an action that takes an ID, but only allow administrators access - so they can modify other users information if required.

1. 就像马特说的，做一个不带 ID 的动作，但从会话信息中查找当前登录的用户，并检索它们。
2. 执行一个需要 ID 的操作，但只允许管理员访问 - 这样他们就可以在需要时修改其他用户的信息。

But to answer the question, the Authorisation is only to say "Yes, this person can use the modify user action", not based on the parameter entered.

但是要回答这个问题，授权只是说“是的，此人可以使用修改用户操作”，而不是基于输入的参数。

The other way is that you could make it check that the user retrieved == the current user, or redirect to another action saying that they cannot edit that user - but it'd be better just to provide an action that doesn't take an id, and just gets the current logged in user.

另一种方法是，您可以检查用户是否检索了 == 当前用户，或者重定向到另一个动作，说他们无法编辑该用户 - 但最好只提供一个不采取id，并获取当前登录的用户。

Solution for this problem: http://nerddinnerbook.s3.amazonaws.com/Part9.htm

此问题的解决方案：http: //nerddinnerbook.s3.amazonaws.com/Part9.htm

"Using the User.Identity.Name property when Editing Dinners

"在编辑晚餐时使用 User.Identity.Name 属性

Let's now add some authorization logic that restricts users so that they can only edit the properties of dinners they themselves are hosting..."

现在让我们添加一些限制用户的授权逻辑，以便他们只能编辑他们自己主持的晚餐的属性......”