I am using MVC 3 and having custom authorization attribute inhering AuthorizeAttribute on my controller. However in one case, I want to access one action from this controller without any authentication on it. Is it possible?
I want to do it wihout making any changes in the controller file as that code is already in production. Is there any way to override from web config.
Yeah you can do that by simply removing Authorize attribute from whole controller class and rather have Authorize attribute on individuals actions wherever you want.
Related
I am using MVC and have a page like contact us. This page has a view and a controller with a action method create. That action method takes in a model and with that model it will add to a database and email users. Is there a way to lock down access to the controller meaning they need to use the view to get access to the controller action method create. I think people can find the model format and just keep hitting the controller. Something like antiforgerytoken but it’s not working in my application because of the classic mode. I get the message This operation requires IIS integrated pipeline mode.
I have created a class CustomAuthorizeAttribute:AuthorizeAttribute for authorization, but I am unable to authorize in the razor view like #if(User.IsInRole("some role"));, but what I want is #if(CustomAuthorizeAttribute(My Parameters)) for my authorization.
How to do that?
AuthorizeAttribute works by placing it on an action method, a controller, or as a global filter. It is not possible to use MVC filters inside of views (or at least not without a lot of work).
I suggest you ask a different question and narrow it to your requirements. There must be some reason why you are attempting this, but it is impossible to work out what you need to do (or if there is a much simpler approach) from your question.
I want to apply ASP.Net membership on areas in MVC3.0 project, but I dont want to put [Authorize] in controller. Is this possible if so then how can I achieve this.
You can implement the security checks yourself on the call to each method by overriding OnActionExecuting in a base controller (or each one if you don't want to implement a base controller) and decide whether to allow the call or not. Just out of curiosity why not use [Authorize]?
Yes you can implement global authorization in mvc3. You do this by first writing a global filter that overrides the default AuthorizeAttribute, then registering your custom filter in global.asax
Check out this blog post for more details
Say that you have a controller named Buildings and that every user in the system have a set of buildings that he/she administrates. If you have an Edit-action in your controller that you can access with /Buildings/Edit/{id} is there a nice and simple way to implement some kind of authorization attribute that only allows access to this site if the id you are trying to edit is a part of the logged in users set of buildings. Or do you have to handle this yourself in your controller?
regards
Freddy
You can use ActionFilterAttribute.
Check out this SO too
Check this post: asp.net mvc attributes actionfilterattribute and why you might want to use them
Sure you can, you can derive from the Authorize attribute to define your own authorization for an action method. There's an example of using it in this blog post.
At what point should I be checking for my cookie in my mvc app? Basically what I wish to do for each request is check to see if there is a cookie and if so show their name on the screen somewhere if not and the page requires the user to be logged in redirect them to a login page.
I DON'T want to use FormsAuthentication as I wish to create and use my own IPrinciple object I 'm just not sure whether I should be setting these in a base controller class or creating my own Authorize attribute and doing the checks in there.
My initial thoughts are that I should be doing this in the base controller class as this is similar to the base page in webforms where I override oninit.
Do not attempt to do authentication in a base controller class. In a situation where an action result is cached, your action will not run at all, and no controller will ever be instantiated. Therefore, authentication done inside the controller is broken by design.
The correct way to customize authentication, for many reasons, is to create a custom authentication provider. I've explained the reasons why and given links to simple examples of how to do this in the post linked above.
In short, using this method:
Has the right level of modularity
Works with caching
Works with regular ASP.NET, as well as with MVC