Restrict view engine to access some namespaces in Microsoft MVC

Question

In my C# MVC project users have access to modify Views in order to customize their pages look (they can edit views cshtml and use Razor engine).

How can I restrict view engine to access some namespaces, like System.IO, System.Sql ?

I planned to remove "System.XXX" in markups from users, but some namespaces are imported by default, like System.IO. so users still can run some dangerous commands like File.Delete...

So again, how can I limit users access to just edit CSHTML and some namespaces not all namspaces?

I had same problem. In one of my projects I supposed to grant users access to edit the views but one of the users added some dangerous codes and removed my files by System.IO commands. (He added the codes in a Razor block) — Amir978, Mar 08 '14 at 07:54

score 2 · Accepted Answer · edited May 23 '17 at 11:49

2

In this topic: Strange automatic namespace imports in my Razor views

robotnik: So the answer is: In Razor views some namespaces are always imported. This can't be disabled in configuration because it is hardwired in the code.

But Nigel Whatling Found Answer by inherit a class from MvcWebRazorHostFactory.

Thank you every body :)

edited May 23 '17 at 11:49

Community

1
1

answered Mar 08 '14 at 16:16

mehr

845
1
9
18

Restrict view engine to access some namespaces in Microsoft MVC

1 Answers1