Distinguishing controller actions using authorization filters

前端 未结 2 2056
迷失自我
迷失自我 2021-01-15 06:23

I would like to have 4 actions with the same name (controller methods may have a different name, but their ActionName() attribute is the same for all 4 of them:

2条回答
  •  挽巷
    挽巷 (楼主)
    2021-01-15 07:06

    @Paco is right. AuthorizeAttribute doesn't have anything to do with action selection. His suggestion didn't feel right so thanks to him I did some digging into MVC code and I came up with the most appropriate solution myself.

    Solution as it was meant to be

    There's an extensibility point for these things in MVC. Basically what you have to do is to write you own ActionMethodSelectionAttribute that will handle this. I created one that selects action based on user authorization (either anonymous or authorized). Here's the code:

    /// 
    /// Attribute restricts controller action execution only to either anonymous or authenticated users
    /// 
    [AttributeUsage(AttributeTargets.Method, AllowMultiple = false, Inherited = false)]
    public class AllowAuthenticatedAttribute : ActionMethodSelectorAttribute
    {
        /// 
        /// Gets or sets a value indicating whether this  allows authenticated or anonymous users to execute decorated controller action.
        /// 
        /// true if authenticated users are allowed to execute the action; false if anonymous users are allowed to execute the action.
        public bool Authenticated { get; set; }
    
        /// 
        /// Initializes a new instance of the  class.
        /// 
        /// If set to true only authorized users will be able to access this action.
        public AllowAuthenticatedAttribute(bool authenticated)
        {
            this.Authenticated = authenticated;
        }
    
        /// 
        /// Determines whether the action method selection is valid for the specified controller context.
        /// 
        /// The controller context.
        /// Information about the action method.
        /// 
        /// true if the action method selection is valid for the specified controller context; otherwise, false.
        /// 
        public override bool IsValidForRequest(ControllerContext controllerContext, System.Reflection.MethodInfo methodInfo)
        {
            if (controllerContext == null)
            {
                throw new ArgumentNullException("controllerContext");
            }
            return this.Authenticated == controllerContext.HttpContext.User.Identity.IsAuthenticated;
        }
    }
    

    Additional observation

    When I decorated my action methods with my custom attribute I still got the same exception until I added [HttpGet] to my GET actions. Why is that? I found the answer in the flowchart in Pro ASP.NET MVC Framework book (check it out yourself). Exception was thrown because there were more than just one action method with ActionMethodSelectorAttribute. Normally we just decorate out POST actions, but in this case all of them were decorated. 2 for anonymous and 2 for authenticated users. That's why you have to use both HttpGet and HttpPost on action methods when you add more selector attributes to them.

    My controller actions now look like this

    [HttpGet]
    [AllowAuthenticated(false)]
    [ActionName("Same-name")]
    public ActionResult AnonAction() { ... }
    
    [HttpPost]
    [AllowAuthenticated(false)]
    [ActionName("Same-name")]
    public ActionResult AnonAction(ModelData data) { ... }
    
    [HttpGet]
    [Authorize]
    [AllowAuthenticated(true)]
    [ActionName("Same-name")]
    public ActionResult AuthAction() { ... }
    
    [HttpPost]
    [Authorize]
    [AllowAuthenticated(true)]
    [ActionName("Same-name")]
    public ActionResult AuthAction(OtherData data) { ... }
    

提交回复
热议问题