Matt
Matt

Reputation: 1520

MVC Form Submit - Redirecting to an action that is not accessible from the browser directly

I am learning MVC 3 after hours right now and last night I ran into an issue that seems like it would be very simple to solve but I can't seem to locate a solution for it.

I have a simple contact form. The end user fills out the form and submits it. When they submit the form I redirect the end user to a different action in the same controller which renders an "inquiry submitted" page/view which is basically a "Thank you page".

The controller is setup like so.

public ActionResult ContactUs()
{
   return View();
}

[HttpPost]
public ActionResult ContactUs(ContactInfo contactInfo)
{
     if (!ModelState.IsValid)
     {
          return View();
     }

     //perform some business logic

     return RedirectToAction("InquirySubmitted",contactInfo);


}

 public ActionResult InquirySubmitted(ContactInfo contactInfo)
 {
    return View(contactInfo);
 }

The problem: I do not want end users navigating directly to the InquirySubmitted action via the browser.
I only want the ContactUs action in the controller to be able to send users to the InquirySubmitted View.

I have attempted to make the InquirySubmitted action private so that only the controller can call it like so:

private ActionResult InquirySubmitted(ContactInfo contactInfo)

But this produces an error which I fully understand because I am forcing the browser to request InquirySubmitted by using RedirectToAction().

So my question is simply: What is the best "MVC 3 style" solution to this issue.

Upvotes: 2

Views: 3992

Answers (3)

deltree
deltree

Reputation: 3824

Not sure if this still applies in MVC3, but in MVC2 it worked.

your global.asax file has your url structuring in it. You can add your InquirySubmitted to the list of urls that isn't accessible there.

Upvotes: 0

Erik Funkenbusch
Erik Funkenbusch

Reputation: 93444

First, I would have to say.. Who cares if someone can navigate directly to the Inquiry submitted page? Is there any confidential information, or something sensitive there? If not, so what? What does it hurt?

However, if you're determined to do so. The answer to your question of "How to make an action not accessible directly from the browser" is that You can simply use Html.Action() to render the page, and then decorate the action method with a [ChildActionOnly] attribute.

This doesn't actually solve the problem though, since making the action indirectly accessible only answers your question, not solves your problem. Ultimately, you need to redirect the user to a url to load the page, so you will need some logic that determines if they can view the page or not. This is

Upvotes: 2

Justin Helgerson
Justin Helgerson

Reputation: 25551

You will need to put logic in your InquirySubmitted ActionResult in order to prevent users from viewing the page if they are not supposed to.

You are already passing the InquirySubmitted method your model (ContactInfo). Could you simply inspect the data passed to the method and if it is absent then redirect the user to an error page (or some other page of your choice)?

An alternate solution would be to set a boolean in session that indicates that the user completed the "ContactUs" form. Then you could check for that session object within InquirySubmitted.

Upvotes: 2

Related Questions