1

I'm using C# MVC5 and I have created an AccessAttribute to define what page each user can access based on his permission.

In my application there is an Area called Administration that only the "admin" user can access.

Question : Is it possible to apply a global filter to this area, similar to how we apply global filter to an entire project?

Current Solution : Add the AccessAttribute to every class definition in the admin section.

Problem with that solution : If I simply forget to add the attribute to the class definition, an attacker could gain access to the admin section.

Gudradain
  • 4,653
  • 2
  • 31
  • 40
  • You can create a base controller for the area, and put the annotation on that, and then inherit from it all controllers in that area - see second answer on [This SO post](http://stackoverflow.com/questions/2319157/how-can-we-set-authorization-for-a-whole-area-in-asp-net-mvc/2320419#2320419) – Carl Sep 09 '14 at 15:05
  • @Carl Thx for comment but I wouldn't call that a solution. What is the difference in time between applying an attribute to my entire controller or inherit from a base controller. Also, inheriting just to apply an attribute sounds wrong. If there is no solution I will just write the attribute above each class definition. – Gudradain Sep 09 '14 at 15:10
  • no, i didn't think it was a solution hence a comment and not an answer - just another option :) the only other thing I've come across is [This SO Post](http://stackoverflow.com/questions/5700295/area-global-filters-in-mvc-3) but never done this myself. – Carl Sep 09 '14 at 15:16
  • @Gudradain, I'd say you're wrong that the idea provided by Carl is not a solution. In fact, it better solves your concern than applying the attribute. See, if you build a base controller **just for the admin pages**, you'll soon find other items to place in that base controller that help your workflow. It is very much a good solution. – Mike Perrenoud Sep 09 '14 at 15:25
  • @MichaelPerrenoud And how am I more likely to remember to inherit from a base class than to put a 1 line attribute? I'm thinking about security first then about ease of development. – Gudradain Sep 09 '14 at 15:28
  • @Gudradain, let me reiterate; **you'll soon find other items to place in that base controller that help your workflow.** When this happens, guess what you won't forget when building an admin page? – Mike Perrenoud Sep 09 '14 at 15:29
  • @MichaelPerrenoud A base class might simply **help me to remember** and not **force me to remember**. See my answer... If I need a base class, I will create one. As to whether or not the best way to replace a 1 line attribute is inheriting from a base class I guess we will disagree... – Gudradain Sep 09 '14 at 15:44

1 Answers1

0

Found the answer here :

http://blogs.msdn.com/b/rickandy/archive/2012/03/23/securing-your-asp-net-mvc-4-app-and-the-new-allowanonymous-attribute.aspx

My primary concern is the security : I don't want to forget a single attribute (or inheritance).

So, the logical answer is to create a global filter that block all access and then to override this attribute per controller. Just like AuthorizeAttribute and AllowAnonymousAttribute work.

Gudradain
  • 4,653
  • 2
  • 31
  • 40