19

Im using class name RightCheckerAttribute to check user permission in MVC3 application... So the RightCheckerAttribute class is like this...

    public bool isAdmin { get; set; }

    public override void OnActionExecuting(ActionExecutingContext filterContext)
    {
        HttpContextBase context = filterContext.HttpContext;

        bool result = Convert.ToBoolean(context.Request.QueryString["isAdmin"].ToString());

        if (isAdmin != result) 
        {
            RouteValueDictionary redirecttargetDictionary = new RouteValueDictionary();
            redirecttargetDictionary.Add("action", "NoPermission");
            redirecttargetDictionary.Add("controller","Singer");
            filterContext.Result = new RedirectToRouteResult(redirecttargetDictionary);

        }

        //base.OnActionExecuting(filterContext);
    }

So in Method i applying this have head as..

[RightChecker (isAdmin=true)]

Im Executing this method as this..

http://localhost:5576/Singer/DeleteSinger?isAdmin=true

The problem is whether I'm passing true or false... I got result variable as false... And I'm getting:

Exception[Null Object references]...

tereško
  • 58,060
  • 25
  • 98
  • 150
Tharindu Lakshitha
  • 205
  • 1
  • 3
  • 5

4 Answers4

21

It seems you are not passing the isAdmin=false or isAdmin=true in your query string. It works for me. However you will need to handle the situation where you are not passing the querystring parameter. Check my implementation. As mentioned in the comments section of the question, it is not secured enough to pass this through a query string.

        public class RightChecker : ActionFilterAttribute
        {
            public bool IsAdmin;            

            public override void OnActionExecuting(ActionExecutingContext filterContext)
            {

               bool result = false;
               if (filterContext.HttpContext.Request.QueryString["isAdmin"] != null)
               {
                       bool.TryParse(filterContext.HttpContext.Request.QueryString["isAdmin"].ToString(), out result);
               }

               if (IsAdmin != result) 
               {
                   //your implementation
               }
            }
        }

Your action method

    [RightChecker(IsAdmin=true)]
    public ActionResult AttCheck()
    {
        return View();
    }
Prashanth Thurairatnam
  • 4,353
  • 2
  • 14
  • 17
1

check rights from querystring is not really safe. you can try this: [link] "Security aware" action link?

but due to mvc 3 api changes , some code obsoleted in ActionIsAuthorized Method , you can fix it youself , see my question asked here [link] https://stackoverflow.com/questions/10545018/how-to-get-authorizationfilters-from-filterproviders

Community
  • 1
  • 1
dfang
  • 1,366
  • 15
  • 41
0

Seems like maybe the context.Request.QueryString["isAdmin"].ToString() is causing a NullReferenceException.

Try

var param = context.Request.QueryString["isAdmin"] as string ?? "false";
var result = param == "true";
Soliah
  • 1,376
  • 2
  • 13
  • 24
  • The author is saying that he is passing the parameter but still get the error. http://localhost:5576/Singer/DeleteSinger?isAdmin=true – Asif Mushtaq May 15 '12 at 04:53
  • @Asif Author's comment indicates that the `NullReferenceException` is being thrown when `ToString()` is called. So I'm guessing that for some reason the query parameter isn't being passed along. There should be a check for `null` anyway which my answer I believe takes care of. – Soliah May 15 '12 at 04:57
  • I think that's his question that why its null if he passes the param. – Asif Mushtaq May 15 '12 at 04:58
0

Pass this in your ViewData shown below:

public ActionResult Test(bool testParam)
{
   ViewData["isAdmin"] = testParam;
   return View();
}
Emmie Lewis-Briggman
  • 855
  • 4
  • 12