Databases
StackOverflow2013
Postsdbo
POFind the Method that will be executed in the controller using reflection
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POFind the Method that will be executed in the controller using reflection
    text
    copied!<p>I'm maintaining an ASP.NET MVC site where they are doing their own security. So they have created a class derived from <code>AuthorizeAttribute</code>. In the <code>OnAuthorization</code>, they have some reflection code that finds the method based on the <code>action</code> name in <code>RouteData</code>. </p> <p>The problem that I see, is that if you have multiple action functions in the controller, that differ by only <code>AcceptVerb</code>, or parameters, it will possible not authorize the user:</p> <pre><code>IList&lt;MethodInfo&gt; methods = filterContext.Controller.GetType().GetMethods().Where(i=&gt;i.Name == action).ToList(); foreach (MethodInfo method in methods) { //get all of the controller security properties, and check for access: object[] props = method.GetCustomAttributes(typeof(ControllerSecurity), false); foreach (ControllerSecurity prop in props) { //does the user have access to this area/action? authorized = security.ValidateUserForAction(prop.SecurityArea, prop.SecurityAction); //if we are authorized by one ControllerSecurity, then we are good. if (authorized) { break; } } } </code></pre> <p>The <code>ControllerSecurity</code> class is an Attribute class used to decorate our controller actions, and describe the security access required for this function:</p> <pre><code>//User needs to have VIEW privileges to REPORTS area: [ControllerSecurity("REPORTS", "VIEW")] public ActionResult Index(){...} </code></pre> <p>There must be a better way of doing this, without rewriting the security. I would like to know with some certainty that we only check the method that will be eventually run.</p> <p>I've looked through the <code>AuthorizationContext</code> object, and can't find anyway to reliably find the action method that will be eventually called.</p> <p>Anyone have any ideas?</p>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload