ASP.NET MVC: Share data between AuthorizeAttribute and Controller

Question

I'm using AuthorizeAttribute to check user's ability to perform actions on my controller. I want to make it possible to add certain user sessions to 'blacklist' so that AuthorizeAttribute rejects their request in future. Is there any possibility to do this apart from using database layer?

How do you propose this works without a database? – Simon Whitehead Sep 11 '13 at 08:55 — Simon Whitehead, Sep 11 '13 at 08:55

Darren · Answer 1 · 2015-10-24T09:40:19.700

0

You could make a custom blacklist class that ovverides AuthorizeCore:

public class BlackListAttribute : AuthorizeAttribute
{
   public string BlackListedUsers { get; set; }
   protected override bool AuthorizeCore(HttpContextBase httpContext)
   {
      if (_blackListedUsers.Contains(user))
      {
         return false;
      }
   }
}

Then on your Controller:

[BlackList(BlackListedUsers="name, name2, name3")]
public ActionResult YourActionMethod() 
{
      return View();
}

edited Oct 24 '15 at 09:40

answered Sep 11 '13 at 08:53

Darren

68,902
24
138
144

This is pretty much my idea but how do I access blacklist from Controller? – Szymon Drosdzol Sep 11 '13 at 08:55
You could pass it in via: BlackList(blacklist=list); - you will need a blacklist property in your BlackList class. Will update. – Darren Sep 11 '13 at 08:56
Looked quite promising, unfortunately it produced an error **"yourList is not a valid named attribute argument beacause it is not a valid attribute parameter type"**. According to this post: [link](http://stackoverflow.com/questions/5809755/named-parameter-type-constraints) it looks like you can't pass such variable as parameter to attribute class. – Szymon Drosdzol Sep 11 '13 at 09:25
@SzymonDrosdzol - you'll have to use a simply type such as a string then. – Darren Sep 11 '13 at 09:27
Well that is pretty close to resolving my issue. The problem is, attribute class won't accept non-static field/property as an argument. From what I've read here: [link](http://stackoverflow.com/questions/5661202/static-field-in-asp-net-mvc) that is an ugly idea to keep static fields in ASP.NET class though it is not clear to me why. Question is should I care? – Szymon Drosdzol Sep 11 '13 at 09:58
@SzymonDrosdzol - That link is referring to a large object which would be held in memory for the lifespan of the application - you are holding a string which is not memory consuming, you will be fine in this context. – Darren Sep 11 '13 at 10:15
Attribute classes can accept only expressions whose values are known on compile time. Even when trying to pass static member reference, you'll get **"Error 40: An attribute argument must be a constant expression, typeof expression or array creation expression of an attribute parameter"** Unfortunately I need content of this collection to be dynamic so this method won't work for me. Thanks for help though :) – Szymon Drosdzol Sep 11 '13 at 14:00
@SzymonDrosdzol how did you solve this issue? I'm stuck in the same problem. let me know – Pritesh Acharya Oct 23 '15 at 18:32
I used database. Now I see clearly, that keeping state in-memory doesn't make any sense in MVC. Some persistent storage is your way to go :) – Szymon Drosdzol Oct 26 '15 at 06:39
@SzymonDrosdzol - great! Please mark this is as the answer if this helped you. – Darren Oct 26 '15 at 19:25

ASP.NET MVC: Share data between AuthorizeAttribute and Controller

1 Answers1