views:

41

answers:

2

Hi,

If I've applied an authorisation attribute at controller level, is it possible to override this on one of the methods on that controller?

Thanks

James

A: 

That depends upon what kind of "override" you want. You cannot remove the attribute which is on the class, but you can add the attribute to the method again in order to make things more restrictive.

Update in response to comments. First, making your own AuthorizeAttribute is somewhat dangerous. AuthorizeAttribute contains code which interacts with the caching attributes in order to ensure that the cache cannot serve protected content to a non-authorized user. At a minimum, you should subtype the existing AuthorizeAttribute rather than creating something wholly new. Generally, however, it's a better idea to use the existing AuthorizeAttribute and specialize your authorization by creating a new/finding an existing ASP.NET membership provider.

I don't think it would be good design to have a filter on an action which "overrides" a filter on a controller. However, you could change the design of the filter on the controller to not require authorization on an action of a certain name. You could, for example, override the AuthorizeAttribute.AuthorizeCore method to test for an action name in the same way the existing method tests for the user name and the roles. Take very careful note of the comments in this method regarding thread safety.

Craig Stuntz
Sorry for not being clearer. I'm using my own implementation of the Authorize attribute and I want to require authorisation for all methods on a controller except one. Is this possible?
James
A: 

I'm not sure if this is exactly the same question, but it may help...

http://stackoverflow.com/questions/927721/how-to-make-actionfilter-on-action-method-take-precedence-over-same-actionfilter

jayrdub