I want to apply an action filter on one of my ActionResult methods.
I want to be able to pass to the ActionFilterAttribute the currently logged in user id.
Is there either a way I can pass the user to the attribute or have the attribute pick up the logged in user?
See:
MVC: creating a custom [AuthorizeAttribute] which takes parameters?
Lol, didn't realize I sent you on a double hop, direct link:
How to pass parameters to a custom ActionFilter in ASP.NET MVC 2?
Note that there are two different ActionFilterAttributes:
System.Web.Http.Filters.ActionFilterAttribute does not have an HttpContext property
while
System.Web.Mvc.ActionFilterAttribute does
If you are having trouble figuring out how to get the http context from within your filter its probably because you are using the wrong one.
What about:
HttpContext.Current.User
Related
What are the filters in asp.net mvc, can any one explain clearly.
How to create a custom filters in asp.net mvc 4
[Authorize]
Public ActionResults Index()
{
return View()
};
In ASP.NET MVC, controllers define action methods that usually have a one-to-one relationship with possible user interactions, such as clicking a link or submitting a form. For example, when the user clicks a link, a request is routed to the designated controller, and the corresponding action method is called.
Sometimes you want to perform logic either before an action method is called or after an action method runs. To support this, ASP.NET MVC provides action filters. Action filters are custom attributes that provide a declarative means to add pre-action and post-action behavior to controller action methods.
Check Filters-and-Attributes-in-ASPNET-MVC
The filter attribute has the Order property which can be used to manage the orders. The order needs to be the order the business process to be followed. For example if HandleError attribute is given higher order than the Authorize attribute then even an unauthorized users will be getting application errors. It would be better saying "Please Login".
In certain Controller I have CRUD methods. In order to access these methods user needs to be logged in. This is why I used [Authorize] attribute for this controller. Now I need additional attribute which would check if item that user wants to view/delete/update belongs to him.
Is it possible and recommended to do this with attribute or you would suggest using check methods inside each method? If you suggest using attribute, could you please provide me some links/instructions?
EDIT:
Ofcourse, if attribute returns false than I don't want to redirect user to login page but show him an error message...
It can be done with a custom Authorize attribute, but it's much cleaner to put the logic inside your controller methods.
The attribute is related to the action being called (the controller class method). On that basis any attribute relating to the user's ownership of the object being manipulated (from your Model) should really be on the entity/class that the user is attempting to manipulate. You'll probably find it easier to validate the user within the Model method rather than using an attribute to achieve this.
In my opinion it is possible, just google for 'Custom Authorize Attribute'.
But maybe it is better to query your database with something like this:
ContextOrSession.Query<Something>.Where(Something.Groups.Intersect(User.Groups).Count>0)
If a user is logged in and the ChangePasswordRequired flag is set, i need to disregard the current action and redirect them to the ChangePassword action.
In other words, I do not want the user to be able to do anything until he or she changes his or her password.
Which method should my base controller override and how should I handle the redirect?
You should create your own action filter.
The exact type of action filter you want to use is one that implements IAuthorizationFilter and the method you want to use it the OnAuthorizing() or close. This filter type is executed before all the others.
Instead of the [Authorize] filter you would use your own filter. Be sure to make your flag check and whether the user is authenticated (Request.IsAuthenticated)
Kindness,
Dan
I would use an actionfilter that you add to every controller class that should implement this behaviour. You can read some more on at this blog post by Phil Haack
I recently started to look into asp.net mvc. Here is my issue.
Say every page on an application needs a variable set by the user, e.g. a date. If the user starts from url I provide, it is all good as I ask for that date and save it for the session. How can I redirect the user to the first page if they save the some other url (to a different controller and action).
In other words, I guess I am looking for something like [Authorize] attribute but on an application level.
Thanks for any help.
I would probably create a base controller that all of my controllers derive from. In the base controller I'd override the OnActionExecuting method to check the session for the required variable. If the variable isn't present, I would set the ActionExecutingContext Result property to a RedirectToRouteResult to the appropriate controller/action to set the variable.
Another alternative is to create a custom FilterAttribute that you decorate the appropriate controllers/actions with that does basically the same thing. I would only do this if the filter was to apply only to certain controllers or actions and not all as you describe in your question.
I want to make the roles default for my controller class to "Administrators, Content Editors"
[Authorize(Roles = "Administrators, Content Editor")]
I've done this by adorning the controller with the attribute above. However, there is one action that I want to be available to all (namely "View"). How can I reset the Roles so that everyone (including completely unauthorized users) have access for this action.
Note: I know I could adorn every single action other action with the authorize attribute above but I don't want to have to do that all the time. I want all of the controllers actions to be unacessible by default so that if anyone adds an action they have to make a considered decision to make it available to the general public.
MVC4 has a new attribute exactly meant for this [AllowAnonymous]
[AllowAnonymous]
public ActionResult Register()
http://blogs.msdn.com/b/rickandy/archive/2012/03/23/securing-your-asp-net-mvc-4-app-and-the-new-allowanonymous-attribute.aspx
You can place the Authorize attribute on the action methods. Not just at the class level.
So, move the attribute from the controller class to just the action methods you want to secure.
The only solution I can think of so far is to create and register another controller so that I have one for anonymous access, and one for authorized access but that's not quite as elegant as I would have liked.