Secure data topic updates (dotnet#9899)

Author: guardrex

aspnetcore/security/authorization/secure-data.md

@@ -3,7 +3,7 @@ title: Create an ASP.NET Core app with user data protected by authorization
 author: rick-anderson
 description: Learn how to create a Razor Pages app with user data protected by authorization. Includes HTTPS, authentication, security, ASP.NET Core Identity.
 ms.author: riande
-ms.date: 7/24/2018
+ms.date: 12/07/2018
 ms.custom: seodec18
 uid: security/authorization/secure-data
 ---
@@ -277,25 +277,32 @@ See [this issue](https://github.com/aspnet/Docs/issues/8502) for information on:
 
 ## Test the completed app
 
+If you haven't already set a password for seeded user accounts, use the [Secret Manager tool](xref:security/app-secrets#secret-manager) to set a password:
+
+* Choose a strong password: Use eight or more characters and at least one upper-case character, number, and symbol. For example, `Passw0rd!` meets the strong password requirements.
+* Execute the following command from the project's folder, where `<PW>` is the password:
+
+  ```console
+  dotnet user-secrets set SeedUserPW <PW>
+  ```
+
 If the app has contacts:
 
-* Delete all the records in the `Contact` table.
+* Delete all of the records in the `Contact` table.
 * Restart the app to seed the database.
 
-Register a user for browsing the contacts.
-
-An easy way to test the completed app is to launch three different browsers (or incognito/InPrivate versions). In one browser, register a new user (for example, `[email protected]`). Sign in to each browser with a different user. Verify the following operations:
+An easy way to test the completed app is to launch three different browsers (or incognito/InPrivate sessions). In one browser, register a new user (for example, `[email protected]`). Sign in to each browser with a different user. Verify the following operations:
 
-* Registered users can view all the approved contact data.
+* Registered users can view all of the approved contact data.
 * Registered users can edit/delete their own data.
-* Managers can approve or reject contact data. The `Details` view shows **Approve** and **Reject** buttons.
-* Administrators can approve/reject and edit/delete any data.
-
-| User| Options |
-| ------------ | ---------|
-| [email protected] | Can edit/delete own data |
-| [email protected] | Can approve/reject and edit/delete own data |
-| [email protected] | Can edit/delete and approve/reject all data|
+* Managers can approve/reject contact data. The `Details` view shows **Approve** and **Reject** buttons.
+* Administrators can approve/reject and edit/delete all data.
+
+| User                | Seeded by the app | Options                                  |
+| ------------------- | :---------------: | ---------------------------------------- |
+| [email protected]    | No                | Edit/delete the own data.                |
+| [email protected] | Yes               | Approve/reject and edit/delete own data. |
+| [email protected]   | Yes               | Approve/reject and edit/delete all data. |
 
 Create a contact in the administrator's browser. Copy the URL for delete and edit from the administrator contact. Paste these links into the test user's browser to verify the test user can't perform these operations.
 

aspnetcore/security/authorization/secure-data/samples/final2.1/ContactManager.csproj

@@ -7,7 +7,7 @@
   </PropertyGroup>
 
   <ItemGroup>
-    <PackageReference Include="Microsoft.AspNetCore.App" Version="2.2.0" />
+    <PackageReference Include="Microsoft.AspNetCore.App" />
     <PackageReference Include="Microsoft.VisualStudio.Web.CodeGeneration.Design" Version="2.2.0" PrivateAssets="All" />
   </ItemGroup>
 

aspnetcore/security/authorization/secure-data/samples/final2.1/Pages/Error.cshtml

@@ -16,8 +16,11 @@
 
 <h3>Development Mode</h3>
 <p>
-    Swapping to <strong>Development</strong> environment will display more detailed information about the error that occurred.
+    Swapping to the <strong>Development</strong> environment displays detailed information about the error that occurred.
 </p>
 <p>
-    <strong>Development environment should not be enabled in deployed applications</strong>, as it can result in sensitive information from exceptions being displayed to end users. For local debugging, development environment can be enabled by setting the <strong>ASPNETCORE_ENVIRONMENT</strong> environment variable to <strong>Development</strong>, and restarting the application.
+    <strong>The Development environment shouldn't be enabled for deployed applications.</strong>
+    It can result in displaying sensitive information from exceptions to end users.
+    For local debugging, enable the <strong>Development</strong> environment by setting the <strong>ASPNETCORE_ENVIRONMENT</strong> environment variable to <strong>Development</strong>
+    and restarting the app.
 </p>

aspnetcore/security/authorization/secure-data/samples/final2.1/Pages/Error.cshtml.cs

@@ -8,13 +8,13 @@
 
 namespace ContactManager.Pages
 {
+    [ResponseCache(Duration = 0, Location = ResponseCacheLocation.None, NoStore = true)]
     public class ErrorModel : PageModel
     {
         public string RequestId { get; set; }
 
         public bool ShowRequestId => !string.IsNullOrEmpty(RequestId);
 
-        [ResponseCache(Duration = 0, Location = ResponseCacheLocation.None, NoStore = true)]
         public void OnGet()
         {
             RequestId = Activity.Current?.Id ?? HttpContext.TraceIdentifier;

aspnetcore/security/authorization/secure-data/samples/starter2.1/ContactManager.csproj

@@ -1,7 +1,7 @@
 <Project Sdk="Microsoft.NET.Sdk.Web">
 
   <PropertyGroup>
-    <TargetFramework>netcoreapp2.1</TargetFramework>
+    <TargetFramework>netcoreapp2.2</TargetFramework>
     <UserSecretsId>aspnet-ContactManager-7A098A32-4BE0-4A2D-89E1-F082633B4EC9</UserSecretsId>
   </PropertyGroup>
 

aspnetcore/security/authorization/secure-data/samples/starter2.1/Pages/Error.cshtml

@@ -16,8 +16,11 @@
 
 <h3>Development Mode</h3>
 <p>
-    Swapping to <strong>Development</strong> environment will display more detailed information about the error that occurred.
+    Swapping to the <strong>Development</strong> environment displays detailed information about the error that occurred.
 </p>
 <p>
-    <strong>Development environment should not be enabled in deployed applications</strong>, as it can result in sensitive information from exceptions being displayed to end users. For local debugging, development environment can be enabled by setting the <strong>ASPNETCORE_ENVIRONMENT</strong> environment variable to <strong>Development</strong>, and restarting the application.
+    <strong>The Development environment shouldn't be enabled for deployed applications.</strong>
+    It can result in displaying sensitive information from exceptions to end users.
+    For local debugging, enable the <strong>Development</strong> environment by setting the <strong>ASPNETCORE_ENVIRONMENT</strong> environment variable to <strong>Development</strong>
+    and restarting the app.
 </p>

aspnetcore/security/authorization/secure-data/samples/starter2.1/Pages/Error.cshtml.cs

@@ -8,13 +8,13 @@
 
 namespace ContactManager.Pages
 {
+    [ResponseCache(Duration = 0, Location = ResponseCacheLocation.None, NoStore = true)]
     public class ErrorModel : PageModel
     {
         public string RequestId { get; set; }
 
         public bool ShowRequestId => !string.IsNullOrEmpty(RequestId);
 
-        [ResponseCache(Duration = 0, Location = ResponseCacheLocation.None, NoStore = true)]
         public void OnGet()
         {
             RequestId = Activity.Current?.Id ?? HttpContext.TraceIdentifier;