3

I am writing an MVC 3 app where users will be able to log in and manage their data. I want to prevent users from viewing or tampering with other user's data. My first instinct was to just verify access to the relevant object in each action method like this:

public ActionResult ShowDetails(int objectId)
{
    DetailObject detail = _repo.GetById(objectId);
    if (detail.User.UserID != (Guid)Membership.GetUser().ProviderUserKey)
    {
        return RedirectToAction("LogOff", "Account");
    }
}

This works fine, but I thought it might be better to put the object authorization code into a custom Authorize attribute derived from AuthorizeAttribute, which I could then apply to the controller. Unfortunately, I have not been able to find a way to access the action method parameters from within my custom Authorize attribute. Instead, the only way I have found to access the incoming objectId is by examining httpContext.Request or filterContext.RequestContext.RouteData.Values:

public class MyAuthorizeAttribute : AuthorizeAttribute
{
    private int _objectId = 0;
    private IUnitOfWork _unitOfWork;

    public MyAuthorizeAttribute(IUnitOfWork uow)
    {
        _unitOfWork = uow;
    }

    public override void OnAuthorization(AuthorizationContext filterContext)
    {
        int.TryParse((string) filterContext.RequestContext.RouteData.Values["id"], out _objectId);
        base.OnAuthorization(filterContext);
    }

    protected override bool AuthorizeCore(HttpContextBase httpContext)
    {
        int objectId = 0;
        if (httpContext.Request.Params.AllKeys.Contains("id", StringComparer.InvariantCultureIgnoreCase))
        {
            int.TryParse(httpContext.Request[idKey], out objectId);
        }

        if (objectId != 0)
        {
            if (!IsAuthorized(objectId, httpContext.User.Identity.Name))
            {
                return false;
            }
        }

        if (_objectId != 0)
        {
            if (!IsAuthorized(objectId, httpContext.User.Identity.Name))
            {
                return false;
            }
        }

        return base.AuthorizeCore(httpContext);
    }

    private bool IsAuthorized(int objectId, string userName)
    {
        DetailObject detail;
        detail = _unitOfWork.ObjectRepository.GetById(objectId);

        if (detail == null)
        {
            return false;
        }

        if (userName != detail.User.UserName)
        {
            return false;
        }

        return true;
    }
}

I find this approach to be very clunky. I really don't want to have to poke around in the RouteData or Request objects; it would be much cleaner to be able to access the action method parameters since model binding would have already pulled out the relevant data from the RouteData and Request.

I know I can access action method parameters from a custom Action Filter (as detailed here), but shouldn't data authorization code be placed in an Authorize Filter? The more examples I see of Authorize filters, the more I get the impression that they are intended only to handle roles.

My main question is: How do I access action method parameters from my custom Authorize Attribute?

Improve this question
1
  • You found any solution for this? Commented Nov 21, 2013 at 5:02

1 Answer 1

Reset to default
3

Answer to your main question: no, unfortunately AuthorizationContext does not provide access to action parameters.

First off, you could use ValueProvider to not have to deal with whether the id is part of the route or a query parameter or HTTP posted, as follows:

public override void OnAuthorization(AuthorizationContext filterContext)
{
    string id = filterContext.Controller.ValueProvider.GetValue("id").AttemptedValue;
    ...
}

This works for simple data types and introduces little overhead. However once you start using custom model binders for your action parameters, you have to inherit your filter from ActionFilterAttribute to avoid double binding:

[MyFilter]
public ActionResult MyAction([ModelBinder(typeof(MyModelBinder))] MyModel model)
{
    ...
}

public class MyFilterAttribute : ActionFilterAttribute
{
    public override void OnActionExecuting(ActionExecutingContext filterContext)
    {
        var model = filterContext.ActionParameters["model"] as MyModel;
        ...
    }
}

While semantically inheriting from AuthorizeAttribute for authorization purposes sounds better, there are no other reasons for doing this. Moreover, I find using ActionFilterAttribute easier, as all you have to do is override only one method, not keeping a state for subsequent methods.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.