CODEWITHSUNDEEP
asp.net-mvcasp.net-mvc-4asp.net-mvc-5action-filter
John John
John John

Reputation: 1

Specifying action filter at the controller level Versus at the action method level, which will run first

When I create an asp.net MVC 5 web project, I check the Account controller and I find the following code:-

 [Authorize]
    public class AccountController : Controller
    {
        public AccountController()
            : this(new UserManager<ApplicationUser>(new UserStore<ApplicationUser>(new ApplicationDbContext())))
        {
        }
        // GET: /Account/Login
        [AllowAnonymous]
        public ActionResult Login(string returnUrl)
        {
            ViewBag.ReturnUrl = returnUrl;
            return View();
        }

where they specify [Authorize] at the controller level, and [AllowAnonymous] at the action method level. I thought that asp.net mvc will check first all the action filters at the controller level and if they successed it will processed with the action method call. But seems that this is not the situation, because anonymous users can call the login action method, although [Authorize] is specified at the controller level ? so what is the scenario here?

Thanks

Upvotes: 4

Views: 2560

Answers (1)

webStuff
webStuff

Reputation: 1494

You can start by having a look at the Authorize attribute source code to understand how it works: http://aspnetwebstack.codeplex.com/SourceControl/latest#src/System.Web.Mvc/AuthorizeAttribute.cs

Have a closer look at the OnAuthorization method: you will see it looks for an AllowAnonymous Attribute on the action or the controller and skip the authorization if it find any.

bool skipAuthorization = filterContext.ActionDescriptor.IsDefined(typeof(AllowAnonymousAttribute), inherit: true)
                                 || filterContext.ActionDescriptor.ControllerDescriptor.IsDefined(typeof(AllowAnonymousAttribute), inherit: true);

if (skipAuthorization)
{
     return;
}

Upvotes: 3

Related Questions