Reputation: 39208
Implementing object-level security with attributes in ASP.NET MVC
Is it possible to implement object-level security with a custom ActionFilterAttribute?
I read Branislav Abadjimarinov's answer to Get permission from Authorize Attribute? and started thinking about making an AuthorizeAttribute-like action filter for implementing object-level security.
Suppose I were to call it ObjectAuthorizeAttribute with the intended usage:
[ObjectAuthorize]
public ActionResult Edit(int id)
{
//...
What would be the easiest way to access the ID value within OnActionExecuting?
Is something like this already available?
Upvotes: 3
Views: 1336
Answers (2)
Reputation: 532455
You can extend the AuthorizeAttribute and have access to things like RouteData via the AuthorizationContext. If you are doing authorization I think it makes more sense to start from the AuthorizeAttribute rather than ActionFilterAttribute.
var id = filterContext.RouteData.Values["id"];
Upvotes: 2
Related Questions
- MVC configurable Authorization filter
- How to properly customize an Attribute for custom security in MVC 4?
- How to call a controller action with attributes enforced/applied in ASP.NET MVC?
- ASP.NET ActionFilters and inheritance
- ActionFilterAttribute for Authorization
- ActionFilterAttribute for the controller?
- ASP.NET MVC - Securing actions by default (without putting attributes on every action)
- Enforce security check in ASP.NET MVC?
- ASP.NET MVC: Securing actions based on parameter values
- Need some help/advice with a custom ASP.NET MVC IAuthorizationFilter class