views:

72

answers:

1

I am trying to secure a controller action to prevent a user from accessing an Entity that they do not have access to. I am able to do this with the following code.

    public ActionResult Entity(string entityCode)
    {
        if (CurrentUser.VerifyEntityPermission(entityCode))
        {
            //populate viewModel...
            return View(viewModel);
        }
        return RedirectToAction("NoAccessToEntity", "Error");
    }

I would like to be able to add an attribute to the controller action itself. In order to validate the access to the entity, I need to see what value has been passed to the controller and what entities the user has access to. Is this possible?

    [EntityAuthRequired]
    public ActionResult Entity(string entityCode)
    {
            //populate viewModel...
            return View(viewModel);
    }
+2  A: 

Something like this might help you on your way. Though you may want to add some additional properties to your attribute to allow you to specify your entityCode parameter on each action, rather than hard-code it.

public class EntityAuthRequired : FilterAttribute, IAuthorizationFilter 
{
    public override void OnAuthorization(AuthorizationContext filterContext)
    {
        //Make sure that this is not NULL before assigning value as string...
        var entityCode = filterContext.RouteData.Values["entityCode"] as string;
        // do your logic...         
        if (!allowed)
            filterContext.Result = new HttpUnauthorizedResult();            
    }
}

Also, if the entityCode isn't in your RouteData, you can use filterContext.RequestContext.HttpContext.Request to look at the POST data.

Jab