I am using MVC and have a page like contact us. This page has a view and a controller with a action method create. That action method takes in a model and with that model it will add to a database and email users. Is there a way to lock down access to the controller meaning they need to use the view to get access to the controller action method create. I think people can find the model format and just keep hitting the controller. Something like antiforgerytoken but it’s not working in my application because of the classic mode. I get the message This operation requires IIS integrated pipeline mode.
Related
I am using MVCSiteMapProvider in a MVC application to implement a wizard based workflow solution. The SiteMap file contains the nodes and branched representing different flows of the wizard.
I have a model class that collects the selected data in the wizard pages (it is one simple class as there is only one item to select from each page). Every time the form gets submitted to the server, I look at what was the recent selection user made and route the model to an appropriate action method and return the associated view.
I am planning to use one common routing controller and an action method where I will submit all my forms(all the wizard page), check from the model property where it has to be routed to and route to that action method using http WebRequest class as seen here and here
MVCSiteMap XML file contains the controller and action method names that I am planning to use for routing along with the model. I dont know how to create the controller object instance and its action using their string names.
Would this approach cause any performance issue. Please help/advise
I am using MVC 3 and having custom authorization attribute inhering AuthorizeAttribute on my controller. However in one case, I want to access one action from this controller without any authentication on it. Is it possible?
I want to do it wihout making any changes in the controller file as that code is already in production. Is there any way to override from web config.
Yeah you can do that by simply removing Authorize attribute from whole controller class and rather have Authorize attribute on individuals actions wherever you want.
I have an mvc4 application that I am looking at hosting on azure websites. The only task is to take a code from a parameter and redirect to a page within our main application. We have a .co domain so we are issuing shortcodes like mydomain.co/abc I check the code in this example abc and redirect it to somewhere in our main application.
My question is do I just create a controller and do the redirect from the controller or can I do this before the controller? I want it to be as lightweight as possible.
Thank you
A controller action taking the parameter, querying some data store by passing it this parameter in order to retrieve additional data and finally redirecting to the corresponding application seems fine. Another possibility is to write a custom route that will perform those tasks but IMHO having a controller action to do it seems easier.
I am currently working with integrating a classic asp site with MVC3. I have some questions on some areas of the integration that I would like some feedback on.
Firstly, I have a asp page posting to an MVC controller action. I have very little scope to modify the asp page. I want to take the form fields posted from the asp page and map them in to a model object. The posted values have obscure names such as "my_name" which I want to map to Name property on the model object. Is the best way of doing this via a Model Binder or is there an alternative?
Next question I have is a follow on from the previous, I am concerned with any cross site scripting so want to check the values of the posted variables to be valid and contain no strange characters etc. Is there something built in to MVC3 that does this out of the box?
When the asp page posts to the controller action, I would like to show a waiting icon while the controller action is processing as the controller action could take 10 seconds plus as it must call external systems etc. Therefore I don't want the post to seem as its hanging. Is it possible to wire up the controller action to return a view with a waiting icon, while the main body of the action is processing in the background and once complete redirects to another page?
Is the best way of doing this via a Model Binder or is there an
alternative?
The best way of doing is a model binder. You can have a custom model binder to take care of the ASP scenario that maps the my_name to Name. Mostly you should have a separate action to handle the requests coming from classic asp and you can link the custom model binder to only this action.
Is there something built in to MVC3 that does this out of the box?
The request validation is enabled as default in MVC. So if an user tries to post a script block to the action MVC will throw exception. Of course you can switch off request validation by decorating the action with ValidateInput(false) if you need.
For long running actions you have to use asynccontrollers.
At what point should I be checking for my cookie in my mvc app? Basically what I wish to do for each request is check to see if there is a cookie and if so show their name on the screen somewhere if not and the page requires the user to be logged in redirect them to a login page.
I DON'T want to use FormsAuthentication as I wish to create and use my own IPrinciple object I 'm just not sure whether I should be setting these in a base controller class or creating my own Authorize attribute and doing the checks in there.
My initial thoughts are that I should be doing this in the base controller class as this is similar to the base page in webforms where I override oninit.
Do not attempt to do authentication in a base controller class. In a situation where an action result is cached, your action will not run at all, and no controller will ever be instantiated. Therefore, authentication done inside the controller is broken by design.
The correct way to customize authentication, for many reasons, is to create a custom authentication provider. I've explained the reasons why and given links to simple examples of how to do this in the post linked above.
In short, using this method:
Has the right level of modularity
Works with caching
Works with regular ASP.NET, as well as with MVC