Since it doesn't appear to be supported natively, what's the recommended way of implementing global filters on a per-area basis?
The reason it's not supported natively is because we want to discourage developers from doing it. Areas are not associated with controllers; they're associated with routes. We wanted to discourage developers from trying to apply authorization or other security-sensitive filters to areas since they can be bypassed.
See How can we set authorization for a whole area in ASP.NET MVC? for more information.
You could use a custom IFilterProvider.
Related
I am learning ASP.NET MVC 4 and a basic component is the User-part. I plan to have the articles have an author, which is turn is a user. However, the standard user stuff (AccounModel/Controller/View) that comes out of the box of the MVC seems very complicated and hard to extend, so I was wondering what are its advantages, and if people actually use this?
My backup plan is to delete the whole thing, and implement my own.
You can use your custom account staff (Model/Controller/View), but custom stuff should be based on shipped authorize system (AuthorizeAttribute, Roles, Account, database model schema) it will be better in many causes:
Usage default authorize system is more easy.
Default authorize system provide enouth functionality to manage roles, accounts etc.
Developing your authorize system is very complicated because the cost of fails, bugs in your own authorize components may be cause of security breaches.
I would recommend developing your custom authorize components in rare cases.
It's just an example template... You can extend it if you want but lots of people use their own.
especially when working with Entity framework and generating models and views it's easier and better fitting to use your own methodology. since if you do not, it will be an exception to what you are doing and in coding we don't like exceptions :-) .
Initially, I want to use dynamic data and binding with validation with web forms and combine it with MVC. Is it possible to combine both of them on a single web application?
One important thing also is I want to use the built-in role based memberships in ASP.NET Web Forms.
You can use the build in membership system from asp. It is available. Link
The dynamic binding is a other problem since you send objects to a view. That view has to deal with the objects in his own way.
To reuse webform controls:
There has been some research to it but it is difficult to do.
And even then it is not always the way you want it.
See my question: link
It's not easy to combine Dynamic Data with ASP.NET MVC. You can use the scaffolding in MVC to get you started. The membership is available in MVC.
Django has the Flatpages app, which lets site admins change content on specific pages without changing code. Flatpage content i stored in the database, sort of like in a CMS. Flatpages are typically used for about-pages and such.
Are there any good equivalents for ASP.Net MVC? I.e., a convenient way to manage page-content persisted to a database.
No.
Django seems closer to a CMS then "ASP.NET MVC" which is both a framework and just a general design pattern.
Have a look at http://http://cmsmvc.codeplex.com, it allows you to create pages, and manage content on the page.
The solution is still in early stages, but it could help you out.
Building an application, and there will be different levels of access.
What is the recommended way to restrict the display of navigation elements to those appropriate to the current user? Are there any built-in helper for this?
I asked a similar question here. There are a few options, depending on your needs something as simple as checking User.Identity.IsInRole("xyz") in the view may suffice (not ideal, but it gets the job done).
If you have a complex navigation structure, the answers provided in my question maybe of use to you.
I should point out that as #casperOne has mentioned, the [Authorize] attribute will prevent unauthorized access to the actions in question, but will not help with the display of menu navigation to them.
I have an application that will support multiple sites. The site will be determined based on the url.
For example
http://myapp/site/abc123/...
and
http://myapp/site/xyz123/...
The site code will drive a lot of the functionality for example themes, available modules, etc...
Questions:
1-)I need to validate the site code is valid and if it isn't, it should direct the user to an info page. I was looking at using IRouteConstraint, is this appropriate? Are there other/better options?
2-)Any gotchas with this approach (using url to identify site)? Is there are better approach?
Solution
I ended up creating a Custom ActionFilter and check the sitecode in the OnActionExecuting event. That seems to work well and fit better than the IRouteConstraint.
The system I have implemented uses Urls to identify unique page content within a single site and the routing process is pretty straightforward. That being said, you may want to consider making use of Areas in your MVC application. With Areas you can have multiple sections to your website that all have their own MVC structure which can run semi-independently.
Essentially, you will have one base routing definition that lays out some defaults and then the rest of the "sites" will define their own routes pointing to controllers and views in a separate location. It's pretty easy to set up, you'll just need to make sure you're using version 2.0 of ASP.NET MVC. Here's a decent looking tutorial on ASP.NET MVC Areas and Routes. In the current model which MVC 2.0 supports you'll have a single Web project for each area, but that is not necessarily a requirement. Phil Haacked has some code for ASP.NET MVC Single Project Areas if you're looking for another example of the technique, although you, personally, will probably benefit more from the first article.
So long as you define good routes that have clear and measurable constraints, you shouldn't have too much trouble laying out the website you've described.
I ended up creating a Custom ActionFilter and check the sitecode in the OnActionExecuting event. That seems to work well and fit better than the IRouteConstraint.