CODEWITHSUNDEEP
asp.net-mvcforms-authentication
Hala Aly
Hala Aly

Reputation: 141

Allowing access to specific view with parameters in mvc 3 and Forms Authentication

I have view with parameters like reset password with parameter key

 public ActionResult ResetPassword(string Email,string Key)
       {
            //Do some thing
            return View();
        }

and I am using forms authentication. What I want is to allow unauthorized users to access this view.

Upvotes: 1

Views: 1567

Answers (3)

Robert Koritnik
Robert Koritnik

Reputation: 105029

Use AuthorizeAttribute

This will make it possible that only authenticated uses are authorized to execute this particular controller action. See MSDN documentation.

[Authorize]
public ActionResult ResetPassword(string Email,string Key)
{
    //Do some thing
    return View();
}

Note: This works with any authentication method you may be using (even custom ones if written properly) as long as Principal and User objects instances are being populated. Default out-of-the-box authentication methods do populate them and if you're using some custom authentication method make sure they get populated.

Always secure - opt out

But apparently either your whole controller or the whole application is secured by the AuthorizeAttribute. In this case you should opt-out particular controller actions. As Juraj sais in MVC 4 you should simply use AllowAnonymousAttribute but in older versions you can write your own as instructed on this page.

This is the Microsoft preferred approach that you should be following.

Upvotes: 0

Hala Aly
Hala Aly

Reputation: 141

The solution is to add location in web.Config and set allowOverride="false" like

<location path="reset.password" allowOverride="false">    
    <system.web>
      <authorization>
        <allow users="*"/>
      </authorization>
    </system.web>
  </location>

This solve my problem. Thanks all :)

Upvotes: 0

Juraj Such&#225;r
Juraj Such&#225;r

Reputation: 1117

Controller actions are accessible for everybody by default. So I suppose, that you have set an AuthorizeAttribute somewhere higher and now you want to suppress it on the particular action ResetPassword. For this purpose, there is the attribut [AllowAnonymous]

[AllowAnonymous]
public ActionResult ResetPassword(string Email,string Key)
{
    //Do some thing
    return View();
}

UPDATE: As Muhammad Adeel Zahid noted, this works only for the version 4 and above :-/ For MVC 3, you can use approach described here: Securing your ASP.NET MVC 3 Application

Upvotes: 3

Related Questions